]> git.saurik.com Git - apple/security.git/blob - trust/SecPolicyPriv.h
Security-58286.220.15.tar.gz
[apple/security.git] / trust / SecPolicyPriv.h
1 /*
2 * Copyright (c) 2003-2017 Apple Inc. All Rights Reserved.
3 *
4 * @APPLE_LICENSE_HEADER_START@
5 *
6 * This file contains Original Code and/or Modifications of Original Code
7 * as defined in and that are subject to the Apple Public Source License
8 * Version 2.0 (the 'License'). You may not use this file except in
9 * compliance with the License. Please obtain a copy of the License at
10 * http://www.opensource.apple.com/apsl/ and read it before using this
11 * file.
12 *
13 * The Original Code and all software distributed under the License are
14 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
15 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
16 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
17 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
18 * Please see the License for the specific language governing rights and
19 * limitations under the License.
20 *
21 * @APPLE_LICENSE_HEADER_END@
22 */
23
24 /*!
25 @header SecPolicyPriv
26 The functions provided in SecPolicyPriv provide an interface to various
27 X.509 certificate trust policies.
28 */
29
30 #ifndef _SECURITY_SECPOLICYPRIV_H_
31 #define _SECURITY_SECPOLICYPRIV_H_
32
33 #include <Security/SecBase.h>
34 #include <Security/SecPolicy.h>
35 #include <Security/SecCertificate.h>
36 #include <CoreFoundation/CFArray.h>
37 #include <CoreFoundation/CFString.h>
38 #include <Availability.h>
39 #include <xpc/xpc.h>
40
41 __BEGIN_DECLS
42
43 CF_ASSUME_NONNULL_BEGIN
44 CF_IMPLICIT_BRIDGING_ENABLED
45
46 /*!
47 @enum Policy Constants (Private)
48 @discussion Predefined constants used to specify a policy.
49 */
50 extern const CFStringRef kSecPolicyAppleMobileStore
51 __OSX_AVAILABLE_STARTING(__MAC_10_9, __IPHONE_7_0);
52 extern const CFStringRef kSecPolicyAppleTestMobileStore
53 __OSX_AVAILABLE_STARTING(__MAC_10_9, __IPHONE_7_0);
54 extern const CFStringRef kSecPolicyAppleEscrowService
55 __OSX_AVAILABLE_STARTING(__MAC_10_9, __IPHONE_7_0);
56 extern const CFStringRef kSecPolicyAppleProfileSigner
57 __OSX_AVAILABLE_STARTING(__MAC_10_9, __IPHONE_7_0);
58 extern const CFStringRef kSecPolicyAppleQAProfileSigner
59 __OSX_AVAILABLE_STARTING(__MAC_10_9, __IPHONE_7_0);
60 extern const CFStringRef kSecPolicyAppleServerAuthentication
61 __OSX_AVAILABLE_STARTING(__MAC_10_10, __IPHONE_8_0);
62 extern const CFStringRef kSecPolicyAppleOTAPKISigner
63 __OSX_AVAILABLE_BUT_DEPRECATED(__MAC_10_12, __MAC_10_13_4, __IPHONE_7_0, __IPHONE_11_3);
64 extern const CFStringRef kSecPolicyAppleTestOTAPKISigner
65 __OSX_AVAILABLE_BUT_DEPRECATED(__MAC_10_12, __MAC_10_13_4, __IPHONE_7_0, __IPHONE_11_3);
66 extern const CFStringRef kSecPolicyAppleIDValidationRecordSigningPolicy
67 API_DEPRECATED_WITH_REPLACEMENT("kSecPolicyAppleIDValidationRecordSigning", ios(7.0,10.0), macos(10.9,10.12));
68 extern const CFStringRef kSecPolicyAppleIDValidationRecordSigning
69 __OSX_AVAILABLE_STARTING(__MAC_10_12, __IPHONE_10_0);
70 extern const CFStringRef kSecPolicyAppleSMPEncryption
71 __OSX_AVAILABLE_STARTING(__MAC_10_12, __IPHONE_8_0);
72 extern const CFStringRef kSecPolicyAppleTestSMPEncryption
73 __OSX_AVAILABLE_STARTING(__MAC_10_12, __IPHONE_8_0);
74 extern const CFStringRef kSecPolicyApplePCSEscrowService
75 __OSX_AVAILABLE_STARTING(__MAC_10_10, __IPHONE_7_0);
76 extern const CFStringRef kSecPolicyApplePPQSigning
77 __OSX_AVAILABLE_STARTING(__MAC_10_11, __IPHONE_9_0);
78 extern const CFStringRef kSecPolicyAppleTestPPQSigning
79 __OSX_AVAILABLE_STARTING(__MAC_10_11, __IPHONE_9_0);
80 extern const CFStringRef kSecPolicyAppleSWUpdateSigning
81 __OSX_AVAILABLE_STARTING(__MAC_10_11, __IPHONE_9_0);
82 extern const CFStringRef kSecPolicyApplePackageSigning
83 __OSX_AVAILABLE_STARTING(__MAC_10_11, __IPHONE_9_0);
84 extern const CFStringRef kSecPolicyAppleOSXProvisioningProfileSigning
85 __OSX_AVAILABLE_STARTING(__MAC_10_11, __IPHONE_9_0);
86 extern const CFStringRef kSecPolicyAppleATVVPNProfileSigning
87 __OSX_AVAILABLE_STARTING(__MAC_10_11, __IPHONE_9_0);
88 extern const CFStringRef kSecPolicyAppleAST2DiagnosticsServerAuth
89 __OSX_AVAILABLE_STARTING(__MAC_10_11_4, __IPHONE_9_3);
90 extern const CFStringRef kSecPolicyAppleEscrowProxyServerAuth
91 __OSX_AVAILABLE_STARTING(__MAC_10_12, __IPHONE_10_0);
92 extern const CFStringRef kSecPolicyAppleFMiPServerAuth
93 __OSX_AVAILABLE_STARTING(__MAC_10_12, __IPHONE_10_0);
94 extern const CFStringRef kSecPolicyAppleMMCService
95 __OSX_AVAILABLE_STARTING(__MAC_10_12, __IPHONE_10_0);
96 extern const CFStringRef kSecPolicyAppleGSService
97 __OSX_AVAILABLE_STARTING(__MAC_10_12, __IPHONE_10_0);
98 extern const CFStringRef kSecPolicyApplePPQService
99 __OSX_AVAILABLE_STARTING(__MAC_10_12, __IPHONE_10_0);
100 extern const CFStringRef kSecPolicyAppleHomeKitServerAuth
101 __OSX_AVAILABLE_STARTING(__MAC_10_12, __IPHONE_10_0);
102 extern const CFStringRef kSecPolicyAppleiPhoneActivation
103 __OSX_AVAILABLE_STARTING(__MAC_10_12, __IPHONE_10_0);
104 extern const CFStringRef kSecPolicyAppleiPhoneDeviceCertificate
105 __OSX_AVAILABLE_STARTING(__MAC_10_12, __IPHONE_10_0);
106 extern const CFStringRef kSecPolicyAppleFactoryDeviceCertificate
107 __OSX_AVAILABLE_STARTING(__MAC_10_12, __IPHONE_10_0);
108 extern const CFStringRef kSecPolicyAppleiAP
109 __OSX_AVAILABLE_STARTING(__MAC_10_12, __IPHONE_10_0);
110 extern const CFStringRef kSecPolicyAppleiTunesStoreURLBag
111 __OSX_AVAILABLE_STARTING(__MAC_10_12, __IPHONE_10_0);
112 extern const CFStringRef kSecPolicyAppleiPhoneApplicationSigning
113 __OSX_AVAILABLE_STARTING(__MAC_10_12, __IPHONE_10_0);
114 extern const CFStringRef kSecPolicyAppleiPhoneProfileApplicationSigning
115 __OSX_AVAILABLE_STARTING(__MAC_10_12, __IPHONE_10_0);
116 extern const CFStringRef kSecPolicyAppleiPhoneProvisioningProfileSigning
117 __OSX_AVAILABLE_STARTING(__MAC_10_12, __IPHONE_10_0);
118 extern const CFStringRef kSecPolicyAppleLockdownPairing
119 __OSX_AVAILABLE_STARTING(__MAC_10_12, __IPHONE_10_0);
120 extern const CFStringRef kSecPolicyAppleURLBag
121 __OSX_AVAILABLE_STARTING(__MAC_10_12, __IPHONE_10_0);
122 extern const CFStringRef kSecPolicyAppleOTATasking
123 __OSX_AVAILABLE_STARTING(__MAC_10_12, __IPHONE_10_0);
124 extern const CFStringRef kSecPolicyAppleMobileAsset
125 __OSX_AVAILABLE_STARTING(__MAC_10_12, __IPHONE_10_0);
126 extern const CFStringRef kSecPolicyAppleIDAuthority
127 __OSX_AVAILABLE_STARTING(__MAC_10_12, __IPHONE_10_0);
128 extern const CFStringRef kSecPolicyAppleGenericApplePinned
129 __OSX_AVAILABLE_STARTING(__MAC_10_12, __IPHONE_10_0);
130 extern const CFStringRef kSecPolicyAppleGenericAppleSSLPinned
131 __OSX_AVAILABLE_STARTING(__MAC_10_12, __IPHONE_10_0);
132 extern const CFStringRef kSecPolicyAppleSoftwareSigning
133 __OSX_AVAILABLE_STARTING(__MAC_10_12, __IPHONE_10_0);
134 extern const CFStringRef kSecPolicyAppleExternalDeveloper
135 __OSX_AVAILABLE_STARTING(__MAC_10_12, __IPHONE_10_0);
136 extern const CFStringRef kSecPolicyAppleOCSPSigner
137 __OSX_AVAILABLE_STARTING(__MAC_10_12, __IPHONE_10_0);
138 extern const CFStringRef kSecPolicyAppleIDSService
139 __OSX_AVAILABLE_STARTING(__MAC_10_12, __IPHONE_10_0);
140 extern const CFStringRef kSecPolicyAppleIDSServiceContext
141 __OSX_AVAILABLE_STARTING(__MAC_10_12, __IPHONE_10_0);
142 extern const CFStringRef kSecPolicyApplePushService
143 __OSX_AVAILABLE_STARTING(__MAC_10_12, __IPHONE_10_0);
144 extern const CFStringRef kSecPolicyAppleLegacyPushService
145 __OSX_AVAILABLE_STARTING(__MAC_10_12, __IPHONE_10_0);
146 extern const CFStringRef kSecPolicyAppleTVOSApplicationSigning
147 __OSX_AVAILABLE_STARTING(__MAC_10_12, __IPHONE_10_0);
148 extern const CFStringRef kSecPolicyAppleUniqueDeviceIdentifierCertificate
149 __OSX_AVAILABLE_STARTING(__MAC_10_12, __IPHONE_10_0);
150 extern const CFStringRef kSecPolicyAppleEscrowProxyCompatibilityServerAuth
151 __OSX_AVAILABLE_STARTING(__MAC_10_12, __IPHONE_10_0);
152 extern const CFStringRef kSecPolicyAppleMMCSCompatibilityServerAuth
153 __OSX_AVAILABLE_STARTING(__MAC_10_12, __IPHONE_10_0);
154 extern const CFStringRef kSecPolicyAppleSecureIOStaticAsset
155 __OSX_AVAILABLE(10.12.1) __IOS_AVAILABLE(10.1) __TVOS_AVAILABLE(10.0.1) __WATCHOS_AVAILABLE(3.1);
156 extern const CFStringRef kSecPolicyAppleWarsaw
157 __OSX_AVAILABLE(10.12.1) __IOS_AVAILABLE(10.1) __TVOS_AVAILABLE(10.0.1) __WATCHOS_AVAILABLE(3.1);
158 extern const CFStringRef kSecPolicyAppleiCloudSetupServerAuth
159 __OSX_AVAILABLE(10.12.4) __IOS_AVAILABLE(10.3) __TVOS_AVAILABLE(10.2) __WATCHOS_AVAILABLE(3.2);
160 extern const CFStringRef kSecPolicyAppleiCloudSetupCompatibilityServerAuth
161 __OSX_AVAILABLE(10.12.4) __IOS_AVAILABLE(10.3) __TVOS_AVAILABLE(10.2) __WATCHOS_AVAILABLE(3.2);
162 extern const CFStringRef kSecPolicyAppleAppTransportSecurity
163 __OSX_AVAILABLE(10.13) __IOS_AVAILABLE(11.0) __TVOS_AVAILABLE(11.0) __WATCHOS_AVAILABLE(4.0);
164 extern const CFStringRef kSecPolicyAppleMobileSoftwareUpdate
165 __OSX_AVAILABLE(10.13) __IOS_AVAILABLE(11.0) __TVOS_AVAILABLE(11.0) __WATCHOS_AVAILABLE(4.0);
166 extern const CFStringRef kSecPolicyAppleMobileAssetDevelopment
167 __OSX_AVAILABLE(10.13) __IOS_AVAILABLE(11.0) __TVOS_AVAILABLE(11.0) __WATCHOS_AVAILABLE(4.0);
168 extern const CFStringRef kSecPolicyAppleMacOSProfileApplicationSigning
169 __OSX_AVAILABLE(10.13) __IOS_AVAILABLE(11.0) __TVOS_AVAILABLE(11.0) __WATCHOS_AVAILABLE(4.0);
170 extern const CFStringRef kSecPolicyAppleBasicAttestationSystem
171 __OSX_AVAILABLE(10.13) __IOS_AVAILABLE(11.0) __TVOS_AVAILABLE(11.0) __WATCHOS_AVAILABLE(4.0);
172 extern const CFStringRef kSecPolicyAppleBasicAttestationUser
173 __OSX_AVAILABLE(10.13) __IOS_AVAILABLE(11.0) __TVOS_AVAILABLE(11.0) __WATCHOS_AVAILABLE(4.0);
174 extern const CFStringRef kSecPolicyAppleiPhoneVPNApplicationSigning
175 __OSX_AVAILABLE(10.13) __IOS_AVAILABLE(11.0) __TVOS_AVAILABLE(11.0) __WATCHOS_AVAILABLE(4.0);
176 extern const CFStringRef kSecPolicyAppleiAPSWAuth
177 API_AVAILABLE(macos(10.14), ios(12.0), watchos(5.0), tvos(12.0));
178 extern const CFStringRef kSecPolicyAppleDemoDigitalCatalog
179 API_AVAILABLE(macos(10.14), ios(12.0), watchos(5.0), tvos(12.0));
180 extern const CFStringRef kSecPolicyAppleAssetReceipt
181 API_AVAILABLE(macos(10.14), ios(12.0), watchos(5.0), tvos(12.0));
182 extern const CFStringRef kSecPolicyAppleDeveloperIDPlusTicket
183 API_AVAILABLE(macos(10.14), ios(12.0), watchos(5.0), tvos(12.0));
184
185 /*!
186 @enum Policy Name Constants (Private)
187 @discussion Predefined constants used to specify a SSL Pinning policy.
188 To be used with SecTrustSetPolicyName.
189 @constant kSecPolicyNameAppleAST2Service
190 @constant kSecPolicyNameAppleEscrowProxyService
191 @constant kSecPolicyNameAppleFMiPService
192 @constant kSecPolicyNameAppleGSService
193 @constant kSecPolicyNameAppleHomeKitService
194 @constant kSecPolicyNameAppleiCloudSetupService
195 @constant kSecPolicyNameAppleIDSService
196 @constant kSecPolicyNameAppleMMCSService
197 @constant kSecPolicyNameApplePPQService
198 @constant kSecPolicyNameApplePushService
199 @constant kSecPolicyNameAppleAIDCService
200 @constant kSecPolicyNameAppleMapsService
201 @constant kSecPolicyNameAppleHealthProviderService
202 @constant kSecPolicyNameAppleParsecService
203 */
204 extern const CFStringRef kSecPolicyNameAppleAST2Service
205 __OSX_AVAILABLE(10.13) __IOS_AVAILABLE(11.0) __TVOS_AVAILABLE(11.0) __WATCHOS_AVAILABLE(4.0);
206 extern const CFStringRef kSecPolicyNameAppleEscrowProxyService
207 __OSX_AVAILABLE(10.13) __IOS_AVAILABLE(11.0) __TVOS_AVAILABLE(11.0) __WATCHOS_AVAILABLE(4.0);
208 extern const CFStringRef kSecPolicyNameAppleFMiPService
209 __OSX_AVAILABLE(10.13) __IOS_AVAILABLE(11.0) __TVOS_AVAILABLE(11.0) __WATCHOS_AVAILABLE(4.0);
210 extern const CFStringRef kSecPolicyNameAppleGSService
211 __OSX_AVAILABLE(10.13) __IOS_AVAILABLE(11.0) __TVOS_AVAILABLE(11.0) __WATCHOS_AVAILABLE(4.0);
212 extern const CFStringRef kSecPolicyNameAppleHomeKitService
213 __OSX_AVAILABLE(10.13) __IOS_AVAILABLE(11.0) __TVOS_AVAILABLE(11.0) __WATCHOS_AVAILABLE(4.0);
214 extern const CFStringRef kSecPolicyNameAppleiCloudSetupService
215 __OSX_AVAILABLE(10.13) __IOS_AVAILABLE(11.0) __TVOS_AVAILABLE(11.0) __WATCHOS_AVAILABLE(4.0);
216 extern const CFStringRef kSecPolicyNameAppleIDSService
217 __OSX_AVAILABLE(10.13) __IOS_AVAILABLE(11.0) __TVOS_AVAILABLE(11.0) __WATCHOS_AVAILABLE(4.0);
218 extern const CFStringRef kSecPolicyNameAppleMMCSService
219 __OSX_AVAILABLE(10.13) __IOS_AVAILABLE(11.0) __TVOS_AVAILABLE(11.0) __WATCHOS_AVAILABLE(4.0);
220 extern const CFStringRef kSecPolicyNameApplePPQService
221 __OSX_AVAILABLE(10.13) __IOS_AVAILABLE(11.0) __TVOS_AVAILABLE(11.0) __WATCHOS_AVAILABLE(4.0);
222 extern const CFStringRef kSecPolicyNameApplePushService
223 __OSX_AVAILABLE(10.13) __IOS_AVAILABLE(11.0) __TVOS_AVAILABLE(11.0) __WATCHOS_AVAILABLE(4.0);
224 extern const CFStringRef kSecPolicyNameAppleAIDCService
225 __OSX_AVAILABLE(10.13.4) __IOS_AVAILABLE(11.3) __TVOS_AVAILABLE(11.3) __WATCHOS_AVAILABLE(4.3);
226 extern const CFStringRef kSecPolicyNameAppleMapsService
227 __OSX_AVAILABLE(10.13.4) __IOS_AVAILABLE(11.3) __TVOS_AVAILABLE(11.3) __WATCHOS_AVAILABLE(4.3);
228 extern const CFStringRef kSecPolicyNameAppleHealthProviderService
229 __OSX_AVAILABLE(10.13.4) __IOS_AVAILABLE(11.3) __TVOS_AVAILABLE(11.3) __WATCHOS_AVAILABLE(4.3);
230 extern const CFStringRef kSecPolicyNameAppleParsecService
231 __OSX_AVAILABLE(10.13.4) __IOS_AVAILABLE(11.3) __TVOS_AVAILABLE(11.3) __WATCHOS_AVAILABLE(4.3);
232
233 /*!
234 @enum Policy Value Constants
235 @abstract Predefined property key constants used to get or set values in
236 a dictionary for a policy instance.
237 @discussion
238 All policies will have the following read-only value:
239 kSecPolicyOid (the policy object identifier)
240
241 Additional policy values which your code can optionally set:
242 kSecPolicyName (name which must be matched)
243 kSecPolicyClient (evaluate for client, rather than server)
244 kSecPolicyRevocationFlags (only valid for a revocation policy)
245 kSecPolicyRevocationFlags (only valid for a revocation policy)
246 kSecPolicyTeamIdentifier (only valid for a Passbook signing policy)
247 kSecPolicyContext (valid for policies below that take a context parameter)
248 kSecPolicyPolicyName (only valid for GenericApplePinned or
249 GenericAppleSSLPinned policies)
250 kSecPolicyIntermediateMarkerOid (only valid for GenericApplePinned or
251 GenericAppleSSLPinned policies)
252 kSecPolicyLeafMarkerOid (only valid for GenericApplePinned or
253 GenericAppleSSLPinned policies)
254 kSecPolicyRootDigest (only valid for the UniqueDeviceCertificate policy)
255
256 @constant kSecPolicyContext Specifies a CFDictionaryRef with keys and values
257 specified by the particular SecPolicyCreate function.
258 @constant kSecPolicyPolicyName Specifies a CFStringRef of the name of the
259 desired policy result.
260 @constant kSecPolicyIntermediateMarkerOid Specifies a CFStringRef of the
261 marker OID (in decimal format) required in the intermediate certificate.
262 @constant kSecPolicyLeafMarkerOid Specifies a CFStringRef of the
263 marker OID (in decimal format) required in the leaf certificate.
264 @constant kSecPolicyRootDigest Specifies a CFDataRef of digest required to
265 match the SHA-256 of the root certificate.
266 */
267 extern const CFStringRef kSecPolicyContext
268 __OSX_AVAILABLE_STARTING(__MAC_10_12, __IPHONE_10_0);
269 extern const CFStringRef kSecPolicyPolicyName
270 __OSX_AVAILABLE_STARTING(__MAC_10_12, __IPHONE_10_0);
271 extern const CFStringRef kSecPolicyIntermediateMarkerOid
272 __OSX_AVAILABLE_STARTING(__MAC_10_12, __IPHONE_10_0);
273 extern const CFStringRef kSecPolicyLeafMarkerOid
274 __OSX_AVAILABLE_STARTING(__MAC_10_12, __IPHONE_10_0);
275 extern const CFStringRef kSecPolicyRootDigest
276 __OSX_AVAILABLE_STARTING(__MAC_10_12, __IPHONE_10_0);
277
278 /*!
279 @enum Revocation Policy Constants
280 @abstract Predefined constants which allow you to specify how revocation
281 checking will be performed for a trust evaluation.
282 @constant kSecRevocationOnlineCheck If this flag is set, perform an online
283 revocation check, ignoring cached revocation results. This flag will not force
284 an online check if an online check was done within the last 5 minutes. Online
285 checks are only applicable to OCSP; this constant will not force a fresh
286 CRL download.
287 @constant kSecRevocationCheckIfTrusted If this flag is set, perform network-based
288 revocation checks only if the chain has no other validation errors. This flag
289 overrides SecTrustSetNetworkFetchAllowed and kSecRevocationNetworkAccessDisabled
290 for revocation checking (but not for intermediate fetching).
291 Note that this flag's behavior is not default because revoked certs produce Fatal
292 trust results, whereas most checks produce Recoverable trust results. If we skip
293 revocation checks on untrusted chains, the user may be able to ignore the failures
294 of a revoked cert.
295 */
296 CF_ENUM(CFOptionFlags) {
297 kSecRevocationOnlineCheck = (1 << 5),
298 kSecRevocationCheckIfTrusted = (1 << 6),
299 };
300
301 /*!
302 @function SecPolicyCreateApplePinned
303 @abstract Returns a policy object for verifying Apple certificates.
304 @param policyName A string that identifies the policy name.
305 @param intermediateMarkerOID A string containing the decimal representation of the
306 extension OID in the intermediate certificate.
307 @param leafMarkerOID A string containing the decimal representation of the extension OID
308 in the leaf certificate.
309 @discussion The resulting policy uses the Basic X.509 policy with validity check and
310 pinning options:
311 * The chain is anchored to any of the production Apple Root CAs. Internal releases allow
312 the chain to be anchored to Test Apple Root CAs if the value true is set for the key
313 "ApplePinningAllowTestCerts%@" (where %@ is the policyName parameter) in the
314 com.apple.security preferences for the user of the calling application.
315 * There are exactly 3 certs in the chain.
316 * The intermediate has a marker extension with OID matching the intermediateMarkerOID
317 parameter.
318 * The leaf has a marker extension with OID matching the leafMarkerOID parameter.
319 * Revocation is checked via any available method.
320 * RSA key sizes are 2048-bit or larger. EC key sizes are P-256 or larger.
321 @result A policy object. The caller is responsible for calling CFRelease on this when
322 it is no longer needed.
323 */
324 __nullable CF_RETURNS_RETAINED
325 SecPolicyRef SecPolicyCreateApplePinned(CFStringRef policyName,
326 CFStringRef intermediateMarkerOID, CFStringRef leafMarkerOID)
327 __OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
328
329 /*!
330 @function SecPolicyCreateAppleSSLPinned
331 @abstract Returns a policy object for verifying Apple SSL certificates.
332 @param policyName A string that identifies the service/policy name.
333 @param hostname hostname to verify the certificate name against.
334 @param intermediateMarkerOID A string containing the decimal representation of the
335 extension OID in the intermediate certificate. If NULL is passed, the default OID of
336 1.2.840.113635.100.6.2.12 is checked.
337 @param leafMarkerOID A string containing the decimal representation of the extension OID
338 in the leaf certificate.
339 @discussion The resulting policy uses the Basic X.509 policy with validity check and
340 pinning options:
341 * The chain is anchored to any of the production Apple Root CAs. Internal releases allow
342 the chain to be anchored to Test Apple Root CAs if the value true is set for the key
343 "ApplePinningAllowTestCerts%@" (where %@ is the policyName parameter) in the
344 com.apple.security preferences for the user of the calling application.
345 * There are exactly 3 certs in the chain.
346 * The intermediate has a marker extension with OID matching the intermediateMarkerOID
347 parameter, or 1.2.840.113635.100.6.2.12 if NULL is passed.
348 * The leaf has a marker extension with OID matching the leafMarkerOID parameter.
349 * The leaf has the provided hostname in the DNSName of the SubjectAlternativeName
350 extension or Common Name.
351 * The leaf has ExtendedKeyUsage with the ServerAuth OID.
352 * Revocation is checked via any available method.
353 * RSA key sizes are 2048-bit or larger. EC key sizes are P-256 or larger.
354 @result A policy object. The caller is responsible for calling CFRelease on this when
355 it is no longer needed.
356 */
357 __nullable CF_RETURNS_RETAINED
358 SecPolicyRef SecPolicyCreateAppleSSLPinned(CFStringRef policyName, CFStringRef hostname,
359 CFStringRef __nullable intermediateMarkerOID, CFStringRef leafMarkerOID)
360 __OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
361
362 /*!
363 @function SecPolicyCreateiPhoneActivation
364 @abstract Returns a policy object for verifying iPhone Activation
365 certificate chains.
366 @discussion This policy uses the Basic X.509 policy with no validity check
367 and pinning options:
368 * The chain is anchored to any of the production Apple Root CAs. Internal releases allow
369 the chain to be anchored to Test Apple Root CAs if a defaults write for the policy is set.
370 * There are exactly 3 certs in chain.
371 * The intermediate has Common Name "Apple iPhone Certification Authority".
372 * The leaf has Common Name "iPhone Activation".
373 @result A policy object. The caller is responsible for calling CFRelease
374 on this when it is no longer needed.
375 */
376 __nullable CF_RETURNS_RETAINED
377 SecPolicyRef SecPolicyCreateiPhoneActivation(void);
378
379 /*!
380 @function SecPolicyCreateiPhoneDeviceCertificate
381 @abstract Returns a policy object for verifying iPhone Device certificate
382 chains.
383 @discussion This policy uses the Basic X.509 policy with no validity check
384 and pinning options:
385 * The chain is anchored to any of the production Apple Root CAs. Internal releases allow
386 the chain to be anchored to Test Apple Root CAs if a defaults write for the policy is set.
387 * There are exactly 4 certs in chain.
388 * The first intermediate has Common Name "Apple iPhone Device CA".
389 @result A policy object. The caller is responsible for calling CFRelease
390 on this when it is no longer needed.
391 */
392 __nullable CF_RETURNS_RETAINED
393 SecPolicyRef SecPolicyCreateiPhoneDeviceCertificate(void);
394
395 /*!
396 @function SecPolicyCreateFactoryDeviceCertificate
397 @abstract Returns a policy object for verifying Factory Device certificate
398 chains.
399 @discussion This policy uses the Basic X.509 policy with no validity check
400 and pinning options:
401 * The chain is anchored to the Factory Device CA.
402 @result A policy object. The caller is responsible for calling CFRelease
403 on this when it is no longer needed.
404 */
405 __nullable CF_RETURNS_RETAINED
406 SecPolicyRef SecPolicyCreateFactoryDeviceCertificate(void);
407
408 /*!
409 @function SecPolicyCreateiAP
410 @abstract Returns a policy object for verifying iAP certificate chains.
411 @discussion This policy uses the Basic X.509 policy with no validity check
412 and pinning options:
413 * The leaf has notBefore date after 5/31/2006 midnight GMT.
414 * The leaf has Common Name beginning with "IPA_".
415 The intended use of this policy is that the caller pass in the
416 intermediates for iAP1 and iAP2 to SecTrustSetAnchorCertificates().
417 @result A policy object. The caller is responsible for calling CFRelease
418 on this when it is no longer needed.
419 */
420 __nullable CF_RETURNS_RETAINED
421 SecPolicyRef SecPolicyCreateiAP(void);
422
423 /*!
424 @function SecPolicyCreateiTunesStoreURLBag
425 @abstract Returns a policy object for verifying iTunes Store URL bag
426 certificates.
427 @discussion This policy uses the Basic X.509 policy with no validity check
428 and pinning options:
429 * The chain is anchored to the iTMS CA.
430 * There are exactly 2 certs in the chain.
431 * The leaf has Organization "Apple Inc.".
432 * The leaf has Common Name "iTunes Store URL Bag".
433 @result A policy object. The caller is responsible for calling CFRelease
434 on this when it is no longer needed.
435 */
436 __nullable CF_RETURNS_RETAINED
437 SecPolicyRef SecPolicyCreateiTunesStoreURLBag(void);
438
439 /*!
440 @function SecPolicyCreateEAP
441 @abstract Returns a policy object for verifying for 802.1x/EAP certificates.
442 @param server Passing true for this parameter create a policy for EAP
443 server certificates.
444 @param trustedServerNames Optional; if present, the hostname in the leaf
445 certificate must be in the trustedServerNames list. Note that contrary
446 to all other policies the trustedServerNames list entries can have wildcards
447 whilst the certificate cannot. This matches the existing deployments.
448 @discussion This policy uses the Basic X.509 policy with validity check but
449 disallowing network fetching. If trustedServerNames param is non-null, the
450 ExtendedKeyUsage extension, if present, of the leaf certificate is verified
451 to contain either the ServerAuth OID, if the server param is true or
452 ClientAuth OID, otherwise.
453 @result A policy object. The caller is responsible for calling CFRelease
454 on this when it is no longer needed.
455 */
456 __nullable CF_RETURNS_RETAINED
457 SecPolicyRef SecPolicyCreateEAP(Boolean server, CFArrayRef __nullable trustedServerNames);
458
459 /*!
460 @function SecPolicyCreateIPSec
461 @abstract Returns a policy object for evaluating IPSec certificate chains.
462 @param server Passing true for this parameter create a policy for IPSec
463 server certificates.
464 @param hostname Optional; if present, the policy will require the specified
465 hostname or ip address to match the hostname in the leaf certificate.
466 @discussion This policy uses the Basic X.509 policy with validity check.
467 @result A policy object. The caller is responsible for calling CFRelease
468 on this when it is no longer needed.
469 */
470 __nullable CF_RETURNS_RETAINED
471 SecPolicyRef SecPolicyCreateIPSec(Boolean server, CFStringRef __nullable hostname);
472
473 /*!
474 @function SecPolicyCreateAppleSWUpdateSigning
475 @abstract Returns a policy object for evaluating SW update signing certs.
476 @discussion This policy uses the Basic X.509 policy with no validity check
477 and pinning options:
478 * The chain is anchored to any of the production Apple Root CAs. Internal releases allow
479 the chain to be anchored to Test Apple Root CAs if a defaults write for the policy is set.
480 * There are exactly 3 certs in the chain.
481 * The intermediate ExtendedKeyUsage Extension contains 1.2.840.113635.100.4.1.
482 * The leaf ExtendedKeyUsage extension contains 1.2.840.113635.100.4.1.
483 @result A policy object. The caller is responsible for calling CFRelease
484 on this when it is no longer needed.
485 */
486 __nullable CF_RETURNS_RETAINED
487 SecPolicyRef SecPolicyCreateAppleSWUpdateSigning(void);
488
489 /*!
490 @function SecPolicyCreateApplePackageSigning
491 @abstract Returns a policy object for evaluating installer package signing certs.
492 @discussion This policy uses the Basic X.509 policy with no validity check
493 and pinning options:
494 * The chain is anchored to any of the production Apple Root CAs. Internal releases allow
495 the chain to be anchored to Test Apple Root CAs if a defaults write for the policy is set.
496 * There are exactly 3 certs in the chain.
497 * The leaf KeyUsage extension has the digital signature bit set.
498 * The leaf ExtendedKeyUsage extension has the CodeSigning OID.
499 @result A policy object. The caller is responsible for calling CFRelease
500 on this when it is no longer needed.
501 */
502 __nullable CF_RETURNS_RETAINED
503 SecPolicyRef SecPolicyCreateApplePackageSigning(void);
504
505 /*!
506 @function SecPolicyCreateiPhoneApplicationSigning
507 @abstract Returns a policy object for evaluating signed application
508 signatures. This is for apps signed directly by the app store.
509 @discussion This policy uses the Basic X.509 policy with no validity check
510 and pinning options:
511 * The chain is anchored to any of the production Apple Root CAs. Internal releases allow
512 the chain to be anchored to Test Apple Root CAs.
513 * There are exactly 3 certs in the chain.
514 * The intermediate has Common Name "Apple iPhone Certification Authority".
515 * The leaf has Common Name "Apple iPhone OS Application Signing".
516 * The leaf has a marker extension with OID 1.2.840.113635.100.6.1.3 or OID
517 1.2.840.113635.100.6.1.6.
518 * The leaf has ExtendedKeyUsage, if any, with the AnyExtendedKeyUsage OID
519 or the CodeSigning OID.
520 @result A policy object. The caller is responsible for calling CFRelease
521 on this when it is no longer needed.
522 */
523 __nullable CF_RETURNS_RETAINED
524 SecPolicyRef SecPolicyCreateiPhoneApplicationSigning(void);
525
526 /*!
527 @function SecPolicyCreateiPhoneVPNApplicationSigning
528 @abstract Returns a policy object for evaluating signed VPN application
529 signatures. This is for VPN plugins signed directly by the VPN team.
530 @discussion This policy uses the Basic X.509 policy with no validity check
531 and pinning options:
532 * The chain is anchored to any of the production Apple Root CAs. Internal releases allow
533 the chain to be anchored to Test Apple Root CAs.
534 * There are exactly 3 certs in the chain.
535 * The intermediate has Common Name "Apple iPhone Certification Authority".
536 * The leaf has Common Name "Apple iPhone OS Application Signing".
537 * The leaf has a marker extension with 1.2.840.113635.100.6.1.6.
538 * The leaf has ExtendedKeyUsage, if any, with the AnyExtendedKeyUsage OID
539 or the CodeSigning OID.
540 @result A policy object. The caller is responsible for calling CFRelease
541 on this when it is no longer needed.
542 */
543 __nullable CF_RETURNS_RETAINED
544 SecPolicyRef SecPolicyCreateiPhoneVPNApplicationSigning(void)
545 __OSX_AVAILABLE(10.13) __IOS_AVAILABLE(11.0) __TVOS_AVAILABLE(11.0) __WATCHOS_AVAILABLE(4.0);
546
547 /*!
548 @function SecPolicyCreateiPhoneProfileApplicationSigning
549 @abstract Returns a policy object for evaluating signed application
550 signatures. This policy is for certificates inside a UPP or regular
551 profile.
552 @discussion This policy uses the Basic X.509 policy with validity check and
553 pinning options:
554 * The chain is anchored to any of the production Apple Root CAs. Internal releases allow
555 the chain to be anchored to Test Apple Root CAs if a defaults write for the policy is set.
556 * There are exactly 3 certs in the chain.
557 * The intermediate has a marker extension with OID matching 1.2.840.113635.100.6.2.1 (WWDR CA).
558 * The leaf has a marker extension with OID matching one of the following:
559 * 1.2.840.113635.100.6.1.2 ("iPhone Developer" leaf)
560 * 1.2.840.113635.100.6.1.4 ("iPhone Distribution" leaf)
561 * 1.2.840.113635.100.6.1.25.1 ("TestFlight" leaf)
562 * On internal releases, 1.2.840.113635.100.6.1.25.2
563 * The leaf has an ExtendedKeyUsage OID matching 1.3.6.1.5.5.7.3.3 (CodeSigning EKU).
564 * Revocation is checked via any available method.
565 @result A policy object. The caller is responsible for calling CFRelease
566 on this when it is no longer needed.
567 */
568 __nullable CF_RETURNS_RETAINED
569 SecPolicyRef SecPolicyCreateiPhoneProfileApplicationSigning(void);
570
571 /*!
572 @function SecPolicyCreateMacOSProfileApplicationSigning
573 @abstract Returns a policy object for evaluating signed application
574 signatures. This policy is for certificates inside a UPP or regular
575 profile.
576 @discussion This policy uses the Basic X.509 policy with no validity check
577 and pinning options:
578 * The chain is anchored to any of the production Apple Root CAs. Internal releases allow
579 the chain to be anchored to Test Apple Root CAs if a defaults write for the policy is set.
580 * There are exactly 3 certs in the chain.
581 * The leaf has a marker extension with OID matching one of the following:
582 * 1.2.840.113635.100.6.1.7 ("3rd Party Mac Developer Application" leaf)
583 * 1.2.840.113635.100.6.1.12 ("Mac Developer" leaf)
584 * 1.2.840.113635.100.6.1.13 ("Developer ID Application" leaf)
585 * 1.2.840.113635.100.6.22 ("Software Signing" leaf
586 * The leaf has an ExtendedKeyUsage OID matching 1.3.6.1.5.5.7.3.3 (CodeSigning EKU).
587 * Revocation is checked via any available method.
588 @result A policy object. The caller is responsible for calling CFRelease
589 on this when it is no longer needed.
590 */
591 __nullable CF_RETURNS_RETAINED
592 SecPolicyRef SecPolicyCreateMacOSProfileApplicationSigning(void)
593 __OSX_AVAILABLE(10.13) __IOS_AVAILABLE(11.0) __TVOS_AVAILABLE(11.0) __WATCHOS_AVAILABLE(4.0);
594
595 /*!
596 @function SecPolicyCreateiPhoneProvisioningProfileSigning
597 @abstract Returns a policy object for evaluating provisioning profile signatures.
598 @discussion This policy uses the Basic X.509 policy with no validity check
599 and pinning options:
600 * The chain is anchored to any of the production Apple Root CAs. Internal releases allow
601 the chain to be anchored to Test Apple Root CAs if a defaults write for the policy is set.
602 * There are exactly 3 certs in the chain.
603 * The intermediate has Common Name "Apple iPhone Certification Authority".
604 * The leaf has Common Name "Apple iPhone OS Provisioning Profile Signing".
605 * If the device is not a production device and is running an internal
606 release, the leaf may have the Common Name "TEST Apple iPhone OS
607 Provisioning Profile Signing TEST".
608 @result A policy object. The caller is responsible for calling CFRelease
609 on this when it is no longer needed.
610 */
611 __nullable CF_RETURNS_RETAINED
612 SecPolicyRef SecPolicyCreateiPhoneProvisioningProfileSigning(void);
613
614 /*!
615 @function SecPolicyCreateAppleTVOSApplicationSigning
616 @abstract Returns a policy object for evaluating signed application
617 signatures. This is for apps signed directly by the Apple TV app store,
618 and allows for both the prod and the dev/test certs.
619 @discussion This policy uses the Basic X.509 policy with no validity check
620 and pinning options:
621 * The chain is anchored to any of the production Apple Root CAs.
622 Test roots are never permitted.
623 * There are exactly 3 certs in the chain.
624 * The intermediate has a marker extension with OID 1.2.840.113635.100.6.2.1.
625 * The leaf has ExtendedKeyUsage, if any, with the AnyExtendedKeyUsage OID or
626 the CodeSigning OID.
627 * The leaf has a marker extension with OID 1.2.840.113635.100.6.1.24 or OID
628 1.2.840.113635.100.6.1.24.1.
629 @result A policy object. The caller is responsible for calling CFRelease
630 on this when it is no longer needed.
631 */
632 __nullable CF_RETURNS_RETAINED
633 SecPolicyRef SecPolicyCreateAppleTVOSApplicationSigning(void);
634
635 /*!
636 @function SecPolicyCreateOCSPSigner
637 @abstract Returns a policy object for evaluating ocsp response signers.
638 @discussion This policy uses the Basic X.509 policy with validity check and
639 requires the leaf to have an ExtendedKeyUsage of OCSPSigning.
640 @result A policy object. The caller is responsible for calling CFRelease
641 on this when it is no longer needed.
642 */
643 __nullable CF_RETURNS_RETAINED
644 SecPolicyRef SecPolicyCreateOCSPSigner(void);
645
646
647 enum {
648 kSecSignSMIMEUsage = (1 << 0),
649 kSecKeyEncryptSMIMEUsage = (1 << 1),
650 kSecDataEncryptSMIMEUsage = (1 << 2),
651 kSecKeyExchangeDecryptSMIMEUsage = (1 << 3),
652 kSecKeyExchangeEncryptSMIMEUsage = (1 << 4),
653 kSecKeyExchangeBothSMIMEUsage = (1 << 5),
654 kSecAnyEncryptSMIME = kSecKeyEncryptSMIMEUsage | kSecDataEncryptSMIMEUsage |
655 kSecKeyExchangeDecryptSMIMEUsage | kSecKeyExchangeEncryptSMIMEUsage,
656 kSecIgnoreExpirationSMIMEUsage = (1 << 6)
657 };
658
659 /*!
660 @function SecPolicyCreateSMIME
661 @abstract Returns a policy object for evaluating S/MIME certificate chains.
662 @param smimeUsage Pass the bitwise or of one or more kSecXXXSMIMEUsage
663 flags, to indicate the intended usage of this certificate.
664 @param email Optional; if present, the policy will require the specified
665 email to match the email in the leaf certificate.
666 @discussion This policy uses the Basic X.509 policy with validity check and
667 requires the leaf to have
668 * a KeyUsage matching the smimeUsage,
669 * an ExtendedKeyUsage, if any, with the AnyExtendedKeyUsage OID or the
670 EmailProtection OID, and
671 * if the email param is specified, the email address in the RFC822Name in the
672 SubjectAlternativeName extension or in the Email Address field of the
673 Subject Name.
674 Note that temporal validity checking can be disabled with kSecIgnoreExpirationSMIMEUsage
675 @result A policy object. The caller is responsible for calling CFRelease
676 on this when it is no longer needed.
677 */
678 __nullable CF_RETURNS_RETAINED
679 SecPolicyRef SecPolicyCreateSMIME(CFIndex smimeUsage, CFStringRef __nullable email);
680
681 /*!
682 @function SecPolicyCreateCodeSigning
683 @abstract Returns a policy object for evaluating code signing certificate chains.
684 @discussion This policy uses the Basic X.509 policy with validity check and
685 requires the leaf to have
686 * a KeyUsage with both the DigitalSignature and NonRepudiation bits set, and
687 * an ExtendedKeyUsage with the AnyExtendedKeyUsage OID or the CodeSigning OID.
688 @result A policy object. The caller is responsible for calling CFRelease
689 on this when it is no longer needed.
690 */
691 __nullable CF_RETURNS_RETAINED
692 SecPolicyRef SecPolicyCreateCodeSigning(void);
693
694 /*!
695 @function SecPolicyCreateLockdownPairing
696 @abstract basic x509 policy for checking lockdown pairing certificate chains.
697 @discussion This policy checks some of the Basic X.509 policy options with no
698 validity check. It explicitly allows for empty subjects.
699 @result A policy object. The caller is responsible for calling CFRelease
700 on this when it is no longer needed.
701 */
702 __nullable CF_RETURNS_RETAINED
703 SecPolicyRef SecPolicyCreateLockdownPairing(void);
704
705 /*!
706 @function SecPolicyCreateURLBag
707 @abstract Returns a policy object for evaluating certificate chains for signing URL bags.
708 @discussion This policy uses the Basic X.509 policy with no validity check and requires
709 that the leaf has ExtendedKeyUsage extension with the CodeSigning OID.
710 @result A policy object. The caller is responsible for calling CFRelease
711 on this when it is no longer needed.
712 */
713 __nullable CF_RETURNS_RETAINED
714 SecPolicyRef SecPolicyCreateURLBag(void);
715
716 /*!
717 @function SecPolicyCreateOTATasking
718 @abstract Returns a policy object for evaluating certificate chains for signing OTA Tasking.
719 @discussion This policy uses the Basic X.509 policy with validity check and
720 pinning options:
721 * The chain is anchored to any of the production Apple Root CAs. Internal releases allow
722 the chain to be anchored to Test Apple Root CAs if a defaults write for the policy is set.
723 * There are exactly 3 certs in the chain.
724 * The intermediate has Common Name "Apple iPhone Certification Authority".
725 * The leaf has Common Name "OTA Task Signing".
726 @result A policy object. The caller is responsible for calling CFRelease
727 on this when it is no longer needed.
728 */
729 __nullable CF_RETURNS_RETAINED
730 SecPolicyRef SecPolicyCreateOTATasking(void);
731
732 /*!
733 @function SecPolicyCreateMobileAsset
734 @abstract Returns a policy object for evaluating certificate chains for signing Mobile Assets.
735 @discussion This policy uses the Basic X.509 policy with no validity check
736 and pinning options:
737 * The chain is anchored to any of the production Apple Root CAs. Internal releases allow
738 the chain to be anchored to Test Apple Root CAs if a defaults write for the policy is set.
739 * There are exactly 3 certs in the chain.
740 * The intermediate has Common Name "Apple iPhone Certification Authority".
741 * The leaf has Common Name "Asset Manifest Signing".
742 @result A policy object. The caller is responsible for calling CFRelease
743 on this when it is no longer needed.
744 */
745 __nullable CF_RETURNS_RETAINED
746 SecPolicyRef SecPolicyCreateMobileAsset(void);
747
748 /*!
749 @function SecPolicyCreateMobileAssetDevelopment
750 @abstract Returns a policy object for evaluating certificate chains for signing development
751 Mobile Assets.
752 @discussion This policy uses the Basic X.509 policy with no validity check
753 and pinning options:
754 * The chain is anchored to any of the production Apple Root CAs. Internal releases allow
755 the chain to be anchored to Test Apple Root CAs if a defaults write for the policy is set.
756 * There are exactly 3 certs in the chain.
757 * The intermediate has a marker extension with OID 1.2.840.113635.100.6.2.18.
758 * The leaf has a marker extension with OID 1.2.840.113635.100.6.55.1.
759 @result A policy object. The caller is responsible for calling CFRelease
760 on this when it is no longer needed.
761 */
762 __nullable CF_RETURNS_RETAINED
763 SecPolicyRef SecPolicyCreateMobileAssetDevelopment(void)
764 __OSX_AVAILABLE(10.13) __IOS_AVAILABLE(11.0) __TVOS_AVAILABLE(11.0) __WATCHOS_AVAILABLE(4.0);
765
766 /*!
767 @function SecPolicyCreateAppleIDAuthorityPolicy
768 @abstract Returns a policy object for evaluating certificate chains for Apple ID Authority.
769 @discussion This policy uses the Basic X.509 policy with validity check
770 and pinning options:
771 * The chain is anchored to any of the production Apple Root CAs. Internal releases allow
772 the chain to be anchored to Test Apple Root CAs if a defaults write for the policy is set.
773 * The intermediate(s) has(have) a marker extension with OID 1.2.840.113635.100.6.2.3
774 or OID 1.2.840.113635.100.6.2.7.
775 * The leaf has a marker extension with OID 1.2.840.113635.100.4.7.
776 * Revocation is checked via any available method.
777 @result A policy object. The caller is responsible for calling CFRelease
778 on this when it is no longer needed.
779 */
780 __nullable CF_RETURNS_RETAINED
781 SecPolicyRef SecPolicyCreateAppleIDAuthorityPolicy(void);
782
783 /*!
784 @function SecPolicyCreateMacAppStoreReceipt
785 @abstract Returns a policy object for evaluating certificate chains for signing
786 Mac App Store Receipts.
787 @discussion This policy uses the Basic X.509 policy with validity check
788 and pinning options:
789 * The chain is anchored to any of the production Apple Root CAs. Internal releases allow
790 the chain to be anchored to Test Apple Root CAs if a defaults write for the policy is set.
791 * There are exactly 3 certs in the chain.
792 * The intermediate has a marker extension with OID 1.2.840.113635.100.6.2.1.
793 * The leaf has CertificatePolicy extension with OID 1.2.840.113635.100.5.6.1.
794 * The leaf has a marker extension with OID 1.2.840.113635.100.6.11.1.
795 * Revocation is checked via any available method.
796 @result A policy object. The caller is responsible for calling CFRelease
797 on this when it is no longer needed.
798 */
799 __nullable CF_RETURNS_RETAINED
800 SecPolicyRef SecPolicyCreateMacAppStoreReceipt(void);
801
802 /*!
803 @function SecPolicyCreatePassbookCardSigner
804 @abstract Returns a policy object for evaluating certificate chains for signing Passbook cards.
805 @param cardIssuer Required; must match name in marker extension.
806 @param teamIdentifier Optional; if present, the policy will require the specified
807 team ID to match the organizationalUnit field in the leaf certificate's subject.
808 @discussion This policy uses the Basic X.509 policy with validity check
809 and pinning options:
810 * The chain is anchored to any of the production Apple Root CAs. Internal releases allow
811 the chain to be anchored to Test Apple Root CAs if a defaults write for the policy is set.
812 * The leaf has a marker extension with OID 1.2.840.113635.100.6.1.16 and containing the
813 cardIssuer.
814 * The leaf has ExtendedKeyUsage with OID 1.2.840.113635.100.4.14.
815 * The leaf has a Organizational Unit matching the TeamID.
816 @result A policy object. The caller is responsible for calling CFRelease
817 on this when it is no longer needed.
818 */
819 __nullable CF_RETURNS_RETAINED
820 SecPolicyRef SecPolicyCreatePassbookCardSigner(CFStringRef cardIssuer,
821 CFStringRef __nullable teamIdentifier);
822
823 /*!
824 @function SecPolicyCreateMobileStoreSigner
825 @abstract Returns a policy object for evaluating Mobile Store certificate chains.
826 @discussion This policy uses the Basic X.509 policy with validity check
827 and pinning options:
828 * The chain is anchored to any of the production Apple Root CAs. Internal releases allow
829 the chain to be anchored to Test Apple Root CAs if a defaults write for the policy is set.
830 * There are exactly 3 certs in the chain.
831 * The intermediate has Common Name "Apple System Integration 2 Certification Authority".
832 * The leaf has KeyUsage with the DigitalSignature bit set.
833 * The leaf has CertificatePolicy extension with OID 1.2.840.113635.100.5.12.
834 @result A policy object. The caller is responsible for calling CFRelease
835 on this when it is no longer needed.
836 */
837 __nullable CF_RETURNS_RETAINED
838 SecPolicyRef SecPolicyCreateMobileStoreSigner(void);
839
840 /*!
841 @function SecPolicyCreateTestMobileStoreSigner
842 @abstract Returns a policy object for evaluating Test Mobile Store certificate chains.
843 @discussion This policy uses the Basic X.509 policy with validity check
844 and pinning options:
845 * The chain is anchored to any of the production Apple Root CAs. Internal releases allow
846 the chain to be anchored to Test Apple Root CAs if a defaults write for the policy is set.
847 * There are exactly 3 certs in the chain.
848 * The intermediate has Common Name "Apple System Integration 2 Certification Authority".
849 * The leaf has KeyUsage with the DigitalSignature bit set.
850 * The leaf has CertificatePolicy extension with OID 1.2.840.113635.100.5.12.1.
851 @result A policy object. The caller is responsible for calling CFRelease
852 on this when it is no longer needed.
853 */
854 __nullable CF_RETURNS_RETAINED
855 SecPolicyRef SecPolicyCreateTestMobileStoreSigner(void);
856
857 /*!
858 @function SecPolicyCreateEscrowServiceSigner
859 @abstract Returns a policy object for evaluating Escrow Service certificate chains.
860 @discussion This policy uses the Basic X.509 policy with no validity check
861 and pinning options:
862 * The chain is anchored to the current Escrow Roots in the OTAPKI asset.
863 * There are exactly 2 certs in the chain.
864 * The leaf has KeyUsage with the KeyEncipherment bit set.
865 @result A policy object. The caller is responsible for calling CFRelease
866 on this when it is no longer needed.
867 */
868 __nullable CF_RETURNS_RETAINED
869 SecPolicyRef SecPolicyCreateEscrowServiceSigner(void);
870
871 /*!
872 @function SecPolicyCreatePCSEscrowServiceSigner
873 @abstract Returns a policy object for evaluating PCS Escrow Service certificate chains.
874 @discussion This policy uses the Basic X.509 policy with validity check
875 and pinning options:
876 * The chain is anchored to the current PCS Escrow Roots in the OTAPKI asset.
877 * There are exactly 2 certs in the chain.
878 * The leaf has KeyUsage with the KeyEncipherment bit set.
879 @result A policy object. The caller is responsible for calling CFRelease
880 on this when it is no longer needed.
881 */
882 __nullable CF_RETURNS_RETAINED
883 SecPolicyRef SecPolicyCreatePCSEscrowServiceSigner(void);
884
885 /*!
886 @function SecPolicyCreateOSXProvisioningProfileSigning
887 @abstract Returns a policy object for evaluating certificate chains for signing OS X
888 Provisioning Profiles.
889 @discussion This policy uses the Basic X.509 policy with validity check
890 and pinning options:
891 * The chain is anchored to any of the production Apple Root CAs. Internal releases allow
892 the chain to be anchored to Test Apple Root CAs if a defaults write for the policy is set.
893 * The intermediate has a marker extension with OID 1.2.840.113635.100.6.2.1.
894 * The leaf has KeyUsage with the DigitalSignature bit set.
895 * The leaf has a marker extension with OID 1.2.840.113635.100.4.11.
896 * Revocation is checked via OCSP.
897 @result A policy object. The caller is responsible for calling CFRelease
898 on this when it is no longer needed.
899 */
900 __nullable CF_RETURNS_RETAINED
901 SecPolicyRef SecPolicyCreateOSXProvisioningProfileSigning(void);
902
903 /*!
904 @function SecPolicyCreateConfigurationProfileSigner
905 @abstract Returns a policy object for evaluating certificate chains for signing
906 Configuration Profiles.
907 @discussion This policy uses the Basic X.509 policy with validity check
908 and pinning options:
909 * The chain is anchored to any of the production Apple Root CAs. Internal releases allow
910 the chain to be anchored to Test Apple Root CAs if a defaults write for the policy is set.
911 * There are exactly 3 certs in the chain.
912 * The intermediate has a marker extension with OID 1.2.840.113635.100.6.2.3.
913 * The leaf has ExtendedKeyUsage with OID 1.2.840.113635.100.4.16.
914 @result A policy object. The caller is responsible for calling CFRelease
915 on this when it is no longer needed.
916 */
917 __nullable CF_RETURNS_RETAINED
918 SecPolicyRef SecPolicyCreateConfigurationProfileSigner(void);
919
920 /*!
921 @function SecPolicyCreateQAConfigurationProfileSigner
922 @abstract Returns a policy object for evaluating certificate chains for signing
923 QA Configuration Profiles. On customer builds, this function returns the same
924 policy as SecPolicyCreateConfigurationProfileSigner.
925 @discussion This policy uses the Basic X.509 policy with validity check
926 and pinning options:
927 * The chain is anchored to any of the production Apple Root CAs. Internal releases allow
928 the chain to be anchored to Test Apple Root CAs if a defaults write for the policy is set.
929 * The intermediate has a marker extension with OID 1.2.840.113635.100.6.2.3.
930 * The leaf has ExtendedKeyUsage with OID 1.2.840.113635.100.4.17.
931 @result A policy object. The caller is responsible for calling CFRelease
932 on this when it is no longer needed.
933 */
934 __nullable CF_RETURNS_RETAINED
935 SecPolicyRef SecPolicyCreateQAConfigurationProfileSigner(void);
936
937 /*!
938 @function SecPolicyCreateOTAPKISigner
939 @abstract Returns a policy object for evaluating OTA PKI certificate chains.
940 @discussion This policy uses the Basic X.509 policy with validity check
941 and pinning options:
942 * The chain is anchored to Apple PKI Settings CA.
943 * There are exactly 2 certs in the chain.
944 @result A policy object. The caller is responsible for calling CFRelease
945 on this when it is no longer needed.
946 */
947 __nullable CF_RETURNS_RETAINED
948 SecPolicyRef SecPolicyCreateOTAPKISigner(void)
949 __OSX_AVAILABLE_BUT_DEPRECATED(__MAC_10_12, __MAC_10_13_4, __IPHONE_7_0, __IPHONE_11_3);
950
951 /*!
952 @function SecPolicyCreateTestOTAPKISigner
953 @abstract Returns a policy object for evaluating OTA PKI certificate chains.
954 @discussion This policy uses the Basic X.509 policy with validity check
955 and pinning options:
956 * The chain is anchored to Apple Test PKI Settings CA.
957 * There are exactly 2 certs in the chain.
958 @result A policy object. The caller is responsible for calling CFRelease
959 on this when it is no longer needed.
960 */
961 __nullable CF_RETURNS_RETAINED
962 SecPolicyRef SecPolicyCreateTestOTAPKISigner(void)
963 __OSX_AVAILABLE_BUT_DEPRECATED(__MAC_10_12, __MAC_10_13_4, __IPHONE_7_0, __IPHONE_11_3);
964
965 /*!
966 @function SecPolicyCreateAppleIDValidationRecordSigningPolicy
967 @abstract Returns a policy object for evaluating certificate chains for signing
968 Apple ID Validation Records.
969 @discussion This policy uses the Basic X.509 policy with validity check
970 and pinning options:
971 * The chain is anchored to any of the production Apple Root CAs. Internal releases allow
972 the chain to be anchored to Test Apple Root CAs if a defaults write for the policy is set.
973 * The intermediate(s) has(have) a marker extension with OID 1.2.840.113635.100.6.2.3
974 or OID 1.2.840.113635.100.6.2.10.
975 * The leaf has a marker extension with OID 1.2.840.113635.100.6.25.
976 * Revocation is checked via OCSP.
977 @result A policy object. The caller is responsible for calling CFRelease
978 on this when it is no longer needed.
979 */
980 __nullable CF_RETURNS_RETAINED
981 SecPolicyRef SecPolicyCreateAppleIDValidationRecordSigningPolicy(void);
982
983 /*!
984 @function SecPolicyCreateAppleSMPEncryption
985 @abstract Returns a policy object for evaluating SMP certificate chains.
986 @discussion This policy uses the Basic X.509 policy with no validity check
987 and pinning options:
988 * The chain is anchored to any of the production Apple Root CAs. Internal releases allow
989 the chain to be anchored to Test Apple Root CAs if a defaults write for the policy is set.
990 * There are exactly 3 certs in the chain.
991 * The intermediate has a marker extension with OID 1.2.840.113635.100.6.2.13.
992 * The leaf has KeyUsage with the KeyEncipherment bit set.
993 * The leaf has a marker extension with OID 1.2.840.113635.100.6.30.
994 * Revocation is checked via OCSP.
995 @result A policy object. The caller is responsible for calling CFRelease
996 on this when it is no longer needed.
997 */
998 __nullable CF_RETURNS_RETAINED
999 SecPolicyRef SecPolicyCreateAppleSMPEncryption(void);
1000
1001 /*!
1002 @function SecPolicyCreateTestAppleSMPEncryption
1003 @abstract Returns a policy object for evaluating Test SMP certificate chains.
1004 @discussion This policy uses the Basic X.509 policy with no validity check
1005 and pinning options:
1006 * The chain is anchored to a Test Apple Root with ECC public key certificate.
1007 * There are exactly 3 certs in the chain.
1008 * The intermediate has Common Name "Test Apple System Integration CA - ECC".
1009 * The leaf has KeyUsage with the KeyEncipherment bit set.
1010 * Revocation is checked via OCSP.
1011 @result A policy object. The caller is responsible for calling CFRelease
1012 on this when it is no longer needed.
1013 */
1014 __nullable CF_RETURNS_RETAINED
1015 SecPolicyRef SecPolicyCreateTestAppleSMPEncryption(void);
1016
1017 /*!
1018 @function SecPolicyCreateApplePPQSigning
1019 @abstract Returns a policy object for verifying production PPQ Signing certificates.
1020 @discussion This policy uses the Basic X.509 policy with no validity check
1021 and pinning options:
1022 * The chain is anchored to any of the production Apple Root CAs. Internal releases allow
1023 the chain to be anchored to Test Apple Root CAs if a defaults write for the policy is set.
1024 * There are exactly 3 certs in the chain.
1025 * The intermediate has Common Name "Apple System Integration 2 Certification
1026 Authority".
1027 * The intermediate has a marker extension with OID 1.2.840.113635.100.6.2.10.
1028 * The leaf has KeyUsage with the DigitalSignature bit set.
1029 * The leaf has a marker extension with OID 1.2.840.113635.100.6.38.2.
1030 @result A policy object. The caller is responsible for calling CFRelease
1031 on this when it is no longer needed.
1032 */
1033 __nullable CF_RETURNS_RETAINED
1034 SecPolicyRef SecPolicyCreateApplePPQSigning(void);
1035
1036 /*!
1037 @function SecPolicyCreateTestApplePPQSigning
1038 @abstract Returns a policy object for verifying test PPQ Signing certificates. On
1039 customer builds, this function returns the same policy as SecPolicyCreateApplePPQSigning.
1040 @discussion This policy uses the Basic X.509 policy with no validity check
1041 and pinning options:
1042 * The chain is anchored to any of the production Apple Root CAs. Internal releases allow
1043 the chain to be anchored to Test Apple Root CAs if a defaults write for the policy is set.
1044 * There are exactly 3 certs in the chain.
1045 * The intermediate has Common Name "Apple System Integration 2 Certification
1046 Authority".
1047 * The intermediate has a marker extension with OID 1.2.840.113635.100.6.2.10.
1048 * The leaf has KeyUsage with the DigitalSignature bit set.
1049 * The leaf has a marker extension with OID 1.2.840.113635.100.6.38.1.
1050 @result A policy object. The caller is responsible for calling CFRelease
1051 on this when it is no longer needed.
1052 */
1053 __nullable CF_RETURNS_RETAINED
1054 SecPolicyRef SecPolicyCreateTestApplePPQSigning(void);
1055
1056 /*!
1057 @function SecPolicyCreateAppleIDSService
1058 @abstract Ensure we're appropriately pinned to the IDS service (SSL + Apple restrictions)
1059 @discussion This policy uses the SSL server policy.
1060 @result A policy object. The caller is responsible for calling CFRelease
1061 on this when it is no longer needed.
1062 */
1063 __nullable CF_RETURNS_RETAINED
1064 SecPolicyRef SecPolicyCreateAppleIDSService(CFStringRef __nullable hostname);
1065
1066 /*!
1067 @function SecPolicyCreateAppleIDSServiceContext
1068 @abstract Ensure we're appropriately pinned to the IDS service (SSL + Apple restrictions)
1069 @param hostname Required; hostname to verify the certificate name against.
1070 @param context Optional; if present, "AppleServerAuthenticationAllowUATIDS" with value
1071 Boolean true will allow Test Apple roots on internal releases.
1072 @discussion This policy uses the Basic X.509 policy with validity check
1073 and pinning options:
1074 * The chain is anchored to any of the production Apple Root CAs. Test Apple Root CAs
1075 are permitted only on internal releases either using the context dictionary or with
1076 defaults write.
1077 * The intermediate has a marker extension with OID 1.2.840.113635.100.6.2.12.
1078 * The leaf has a marker extension with OID 1.2.840.113635.100.6.27.4.2 or,
1079 if Test Roots are allowed, OID 1.2.840.113635.100.6.27.4.1.
1080 * The leaf has the provided hostname in the DNSName of the SubjectAlternativeName
1081 extension or Common Name.
1082 * The leaf is checked against the Black and Gray lists.
1083 * The leaf has ExtendedKeyUsage with the ServerAuth OID.
1084 * Revocation is checked via any available method.
1085 @result A policy object. The caller is responsible for calling CFRelease
1086 on this when it is no longer needed.
1087 */
1088 __nullable CF_RETURNS_RETAINED
1089 SecPolicyRef SecPolicyCreateAppleIDSServiceContext(CFStringRef hostname, CFDictionaryRef __nullable context);
1090
1091 /*!
1092 @function SecPolicyCreateApplePushService
1093 @abstract Ensure we're appropriately pinned to the Apple Push service (SSL + Apple restrictions)
1094 @param hostname Required; hostname to verify the certificate name against.
1095 @param context Optional; if present, "AppleServerAuthenticationAllowUATAPN" with value
1096 Boolean true will allow Test Apple roots on internal releases.
1097 @discussion This policy uses the Basic X.509 policy with validity check
1098 and pinning options:
1099 * The chain is anchored to any of the production Apple Root CAs. Test Apple Root CAs
1100 are permitted only on internal releases either using the context dictionary or with
1101 defaults write.
1102 * The intermediate has a marker extension with OID 1.2.840.113635.100.6.2.12.
1103 * The leaf has a marker extension with OID 1.2.840.113635.100.6.27.5.2 or,
1104 if Test Roots are allowed, OID 1.2.840.113635.100.6.27.5.1.
1105 * The leaf has the provided hostname in the DNSName of the SubjectAlternativeName
1106 extension or Common Name.
1107 * The leaf is checked against the Black and Gray lists.
1108 * The leaf has ExtendedKeyUsage with the ServerAuth OID.
1109 * Revocation is checked via any available method.
1110 @result A policy object. The caller is responsible for calling CFRelease
1111 on this when it is no longer needed.
1112 */
1113 __nullable CF_RETURNS_RETAINED
1114 SecPolicyRef SecPolicyCreateApplePushService(CFStringRef hostname, CFDictionaryRef __nullable context);
1115
1116 /*!
1117 @function SecPolicyCreateApplePushServiceLegacy
1118 @abstract Ensure we're appropriately pinned to the Push service (via Entrust)
1119 @param hostname Required; hostname to verify the certificate name against.
1120 @discussion This policy uses the Basic X.509 policy with validity check
1121 and pinning options:
1122 * The chain is anchored to an Entrust Intermediate.
1123 * The leaf has the provided hostname in the DNSName of the SubjectAlternativeName
1124 extension or Common Name.
1125 * The leaf is checked against the Black and Gray lists.
1126 * The leaf has ExtendedKeyUsage with the ServerAuth OID.
1127 * Revocation is checked via any available method.
1128 @result A policy object. The caller is responsible for calling CFRelease
1129 on this when it is no longer needed.
1130 */
1131 __nullable CF_RETURNS_RETAINED
1132 SecPolicyRef SecPolicyCreateApplePushServiceLegacy(CFStringRef hostname);
1133
1134 /*!
1135 @function SecPolicyCreateAppleMMCSService
1136 @abstract Ensure we're appropriately pinned to the MMCS service (SSL + Apple restrictions)
1137 @param hostname Required; hostname to verify the certificate name against.
1138 @param context Optional; if present, "AppleServerAuthenticationAllowUATMMCS" with value
1139 Boolean true will allow Test Apple roots and test OIDs on internal releases.
1140 @discussion This policy uses the Basic X.509 policy with validity check
1141 and pinning options:
1142 * The chain is anchored to any of the production Apple Root CAs.
1143 * The intermediate has a marker extension with OID 1.2.840.113635.100.6.2.12.
1144 * The leaf has a marker extension with OID 1.2.840.113635.100.6.27.11.2 or, if
1145 enabled, OID 1.2.840.113635.100.6.27.11.1.
1146 * The leaf has the provided hostname in the DNSName of the SubjectAlternativeName
1147 extension or Common Name.
1148 * The leaf has ExtendedKeyUsage with the ServerAuth OID.
1149 * Revocation is checked via any available method.
1150 @result A policy object. The caller is responsible for calling CFRelease
1151 on this when it is no longer needed.
1152 */
1153 __nullable CF_RETURNS_RETAINED
1154 SecPolicyRef SecPolicyCreateAppleMMCSService(CFStringRef hostname, CFDictionaryRef __nullable context);
1155
1156 /*!
1157 @function SecPolicyCreateAppleCompatibilityMMCSService
1158 @abstract Ensure we're appropriately pinned to the MMCS service using compatibility certs
1159 @param hostname Required; hostname to verify the certificate name against.
1160 @discussion This policy uses the Basic X.509 policy with validity check
1161 and pinning options:
1162 * The chain is anchored to the GeoTrust Global CA
1163 * The intermediate has a subject public key info hash matching the public key of
1164 the Apple IST CA G1 intermediate.
1165 * The chain length is 3.
1166 * The leaf has a marker extension with OID 1.2.840.113635.100.6.27.11.2 or
1167 OID 1.2.840.113635.100.6.27.11.1.
1168 * The leaf has the provided hostname in the DNSName of the SubjectAlternativeName
1169 extension or Common Name.
1170 * The leaf is checked against the Black and Gray lists.
1171 * The leaf has ExtendedKeyUsage with the ServerAuth OID.
1172 @result A policy object. The caller is responsible for calling CFRelease
1173 on this when it is no longer needed.
1174 */
1175 __nullable CF_RETURNS_RETAINED
1176 SecPolicyRef SecPolicyCreateAppleCompatibilityMMCSService(CFStringRef hostname)
1177 __OSX_AVAILABLE_STARTING(__MAC_10_12, __IPHONE_10_0);
1178
1179 /*!
1180 @function SecPolicyCreateAppleGSService
1181 @abstract Ensure we're appropriately pinned to the GS service (SSL + Apple restrictions)
1182 @param hostname Required; hostname to verify the certificate name against.
1183 @param context Optional; if present, "AppleServerAuthenticationAllowUATGS" with value
1184 Boolean true will allow Test Apple roots on internal releases.
1185 @discussion This policy uses the Basic X.509 policy with validity check
1186 and pinning options:
1187 * The chain is anchored to any of the production Apple Root CAs. Test Apple Root CAs
1188 are permitted only on internal releases either using the context dictionary or with
1189 defaults write.
1190 * The intermediate has a marker extension with OID 1.2.840.113635.100.6.2.12.
1191 * The leaf has a marker extension with OID 1.2.840.113635.100.6.27.2.
1192 * The leaf has the provided hostname in the DNSName of the SubjectAlternativeName
1193 extension or Common Name.
1194 * The leaf is checked against the Black and Gray lists.
1195 * The leaf has ExtendedKeyUsage with the ServerAuth OID.
1196 * Revocation is checked via any available method.
1197 @result A policy object. The caller is responsible for calling CFRelease
1198 on this when it is no longer needed.
1199 */
1200 __nullable CF_RETURNS_RETAINED
1201 SecPolicyRef SecPolicyCreateAppleGSService(CFStringRef hostname, CFDictionaryRef __nullable context)
1202 __OSX_AVAILABLE_STARTING(__MAC_10_11, __IPHONE_9_0);
1203
1204 /*!
1205 @function SecPolicyCreateApplePPQService
1206 @abstract Ensure we're appropriately pinned to the PPQ service (SSL + Apple restrictions)
1207 @param hostname Required; hostname to verify the certificate name against.
1208 @param context Optional; if present, "AppleServerAuthenticationAllowUATPPQ" with value
1209 Boolean true will allow Test Apple roots on internal releases.
1210 @discussion This policy uses the Basic X.509 policy with validity check
1211 and pinning options:
1212 * The chain is anchored to any of the production Apple Root CAs. Test Apple Root CAs
1213 are permitted only on internal releases either using the context dictionary or with
1214 defaults write.
1215 * The intermediate has a marker extension with OID 1.2.840.113635.100.6.2.12.
1216 * The leaf has a marker extension with OID 1.2.840.113635.100.6.27.3.2 or,
1217 if Test Roots are allowed, OID 1.2.840.113635.100.6.27.3.1.
1218 * The leaf has the provided hostname in the DNSName of the SubjectAlternativeName
1219 extension or Common Name.
1220 * The leaf is checked against the Black and Gray lists.
1221 * The leaf has ExtendedKeyUsage with the ServerAuth OID.
1222 * Revocation is checked via any available method.
1223 @result A policy object. The caller is responsible for calling CFRelease
1224 on this when it is no longer needed.
1225 */
1226 __nullable CF_RETURNS_RETAINED
1227 SecPolicyRef SecPolicyCreateApplePPQService(CFStringRef hostname, CFDictionaryRef __nullable context)
1228 __OSX_AVAILABLE_STARTING(__MAC_10_11, __IPHONE_9_0);
1229
1230 /*!
1231 @function SecPolicyCreateAppleAST2Service
1232 @abstract Ensure we're appropriately pinned to the AST2 Diagnostic service (SSL + Apple restrictions)
1233 @param hostname Required; hostname to verify the certificate name against.
1234 @param context Optional; if present, "AppleServerAuthenticationAllowUATAST2" with value
1235 Boolean true will allow Test Apple roots on internal releases.
1236 @discussion This policy uses the Basic X.509 policy with validity check
1237 and pinning options:
1238 * The chain is anchored to any of the production Apple Root CAs. Test Apple Root CAs
1239 are permitted either using the context dictionary or with defaults write.
1240 * The intermediate has a marker extension with OID 1.2.840.113635.100.6.2.12.
1241 * The leaf has a marker extension with OID 1.2.840.113635.100.6.27.8.2 or,
1242 if Test Roots are allowed, OID 1.2.840.113635.100.6.27.8.1.
1243 * The leaf has the provided hostname in the DNSName of the SubjectAlternativeName
1244 extension or Common Name.
1245 * The leaf is checked against the Black and Gray lists.
1246 * The leaf has ExtendedKeyUsage with the ServerAuth OID.
1247 * Revocation is checked via any available method.
1248 @result A policy object. The caller is responsible for calling CFRelease
1249 on this when it is no longer needed.
1250 */
1251 __nullable CF_RETURNS_RETAINED
1252 SecPolicyRef SecPolicyCreateAppleAST2Service(CFStringRef hostname, CFDictionaryRef __nullable context)
1253 __OSX_AVAILABLE_STARTING(__MAC_10_11_4, __IPHONE_9_3);
1254
1255 /*!
1256 @function SecPolicyCreateAppleEscrowProxyService
1257 @abstract Ensure we're appropriately pinned to the iCloud Escrow Proxy service (SSL + Apple restrictions)
1258 @param hostname Required; hostname to verify the certificate name against.
1259 @param context Optional; if present, "AppleServerAuthenticationAllowUATEscrow" with value
1260 Boolean true will allow Test Apple roots on internal releases.
1261 @discussion This policy uses the Basic X.509 policy with validity check
1262 and pinning options:
1263 * The chain is anchored to any of the production Apple Root CAs via full certificate
1264 comparison. Test Apple Root CAs are permitted only on internal releases either
1265 using the context dictionary or with defaults write.
1266 * The intermediate has a marker extension with OID 1.2.840.113635.100.6.2.12.
1267 * The leaf has a marker extension with OID 1.2.840.113635.100.6.27.7.2 or,
1268 if Test Roots are allowed, OID 1.2.840.113635.100.6.27.7.1.
1269 * The leaf has the provided hostname in the DNSName of the SubjectAlternativeName
1270 extension or Common Name.
1271 * The leaf is checked against the Black and Gray lists.
1272 * The leaf has ExtendedKeyUsage with the ServerAuth OID.
1273 * Revocation is checked via any available method.
1274 @result A policy object. The caller is responsible for calling CFRelease
1275 on this when it is no longer needed.
1276 */
1277 __nullable CF_RETURNS_RETAINED
1278 SecPolicyRef SecPolicyCreateAppleEscrowProxyService(CFStringRef hostname, CFDictionaryRef __nullable context)
1279 __OSX_AVAILABLE_STARTING(__MAC_10_12, __IPHONE_10_0);
1280
1281 /*!
1282 @function SecPolicyCreateAppleCompatibilityEscrowProxyService
1283 @abstract Ensure we're appropriately pinned to the iCloud Escrow Proxy service using compatibility certs
1284 @param hostname Required; hostname to verify the certificate name against.
1285 @discussion This policy uses the Basic X.509 policy with validity check
1286 and pinning options:
1287 * The chain is anchored to the GeoTrust Global CA
1288 * The intermediate has a subject public key info hash matching the public key of
1289 the Apple IST CA G1 intermediate.
1290 * The chain length is 3.
1291 * The leaf has a marker extension with OID 1.2.840.113635.100.6.27.7.2 or,
1292 if UAT is enabled with a defaults write (internal devices only),
1293 OID 1.2.840.113635.100.6.27.7.1.
1294 * The leaf has the provided hostname in the DNSName of the SubjectAlternativeName
1295 extension or Common Name.
1296 * The leaf is checked against the Black and Gray lists.
1297 * The leaf has ExtendedKeyUsage with the ServerAuth OID.
1298 @result A policy object. The caller is responsible for calling CFRelease
1299 on this when it is no longer needed.
1300 */
1301 __nullable CF_RETURNS_RETAINED
1302 SecPolicyRef SecPolicyCreateAppleCompatibilityEscrowProxyService(CFStringRef hostname)
1303 __OSX_AVAILABLE_STARTING(__MAC_10_12, __IPHONE_10_0);
1304
1305 /*!
1306 @function SecPolicyCreateAppleFMiPService
1307 @abstract Ensure we're appropriately pinned to the Find My iPhone service (SSL + Apple restrictions)
1308 @param hostname Required; hostname to verify the certificate name against.
1309 @param context Optional; if present, "AppleServerAuthenticationAllowUATFMiP" with value
1310 Boolean true will allow Test Apple roots on internal releases.
1311 @discussion This policy uses the Basic X.509 policy with validity check
1312 and pinning options:
1313 * The chain is anchored to any of the production Apple Root CAs via full certificate
1314 comparison. Test Apple Root CAs are permitted only on internal releases either
1315 using the context dictionary or with defaults write.
1316 * The intermediate has a marker extension with OID 1.2.840.113635.100.6.2.12.
1317 * The leaf has a marker extension with OID 1.2.840.113635.100.6.27.6.2 or,
1318 if Test Roots are allowed, OID 1.2.840.113635.100.6.27.6.1.
1319 * The leaf has the provided hostname in the DNSName of the SubjectAlternativeName
1320 extension or Common Name.
1321 * The leaf is checked against the Black and Gray lists.
1322 * The leaf has ExtendedKeyUsage with the ServerAuth OID.
1323 * Revocation is checked via any available method.
1324 @result A policy object. The caller is responsible for calling CFRelease
1325 on this when it is no longer needed.
1326 */
1327 __nullable CF_RETURNS_RETAINED
1328 SecPolicyRef SecPolicyCreateAppleFMiPService(CFStringRef hostname, CFDictionaryRef __nullable context)
1329 __OSX_AVAILABLE_STARTING(__MAC_10_12, __IPHONE_10_0);
1330
1331 /*!
1332 @function SecPolicyCreateAppleSSLService
1333 @abstract Ensure we're appropriately pinned to an Apple server (SSL + Apple restrictions)
1334 @param hostname Optional; hostname to verify the certificate name against.
1335 @discussion This policy uses the Basic X.509 policy with validity check
1336 and pinning options:
1337 * The chain is anchored to any of the production Apple Root CAs. Internal releases allow
1338 the chain to be anchored to Test Apple Root CAs if a defaults write for the policy is set.
1339 * The intermediate has a marker extension with OID 1.2.840.113635.100.6.2.12.
1340 * The leaf has a marker extension with OID 1.2.840.113635.100.6.27.1
1341 * The leaf has the provided hostname in the DNSName of the SubjectAlternativeName
1342 extension or Common Name.
1343 * The leaf is checked against the Black and Gray lists.
1344 * The leaf has ExtendedKeyUsage, if any, with the ServerAuth OID.
1345 * Revocation is checked via any available method.
1346 @result A policy object. The caller is responsible for calling CFRelease
1347 on this when it is no longer needed.
1348 */
1349 __nullable CF_RETURNS_RETAINED
1350 SecPolicyRef SecPolicyCreateAppleSSLService(CFStringRef __nullable hostname);
1351
1352 /*!
1353 @function SecPolicyCreateAppleTimeStamping
1354 @abstract Returns a policy object for evaluating time stamping certificate chains.
1355 @discussion This policy uses the Basic X.509 policy with validity check
1356 and requires the leaf has ExtendedKeyUsage with the TimeStamping OID.
1357 @result A policy object. The caller is responsible for calling CFRelease
1358 on this when it is no longer needed.
1359 */
1360 __nullable CF_RETURNS_RETAINED
1361 SecPolicyRef SecPolicyCreateAppleTimeStamping(void);
1362
1363 /*!
1364 @function SecPolicyCreateApplePayIssuerEncryption
1365 @abstract Returns a policy object for evaluating Apple Pay Issuer Encryption certificate chains.
1366 @discussion This policy uses the Basic X.509 policy with no validity check
1367 and pinning options:
1368 * The chain is anchored to any of the production Apple Root CAs. Internal releases allow
1369 the chain to be anchored to Test Apple Root CAs if a defaults write for the policy is set.
1370 * There are exactly 3 certs in the chain.
1371 * The intermediate has Common Name "Apple Worldwide Developer Relations CA - G2".
1372 * The leaf has KeyUsage with the KeyEncipherment bit set.
1373 * The leaf has a marker extension with OID 1.2.840.113635.100.6.39.
1374 @result A policy object. The caller is responsible for calling CFRelease
1375 on this when it is no longer needed.
1376 */
1377 __nullable CF_RETURNS_RETAINED
1378 SecPolicyRef SecPolicyCreateApplePayIssuerEncryption(void)
1379 __OSX_AVAILABLE_STARTING(__MAC_10_11, __IPHONE_9_0);
1380
1381 /*!
1382 @function SecPolicyCreateAppleATVVPNProfileSigning
1383 @abstract Returns a policy object for evaluating Apple TV VPN Profile certificate chains.
1384 @discussion This policy uses the Basic X.509 policy with no validity check
1385 and pinning options:
1386 * The chain is anchored to any of the production Apple Root CAs. Test Apple Root CAs
1387 are permitted only on internal releases.
1388 * There are exactly 3 certs in the chain.
1389 * The intermediate has a marker extension with OID 1.2.840.113635.100.6.2.10.
1390 * The leaf has a marker extension with OID 1.2.840.113635.100.6.43.
1391 * Revocation is checked via OCSP.
1392 @result A policy object. The caller is responsible for calling CFRelease
1393 on this when it is no longer needed.
1394 */
1395 __nullable CF_RETURNS_RETAINED
1396 SecPolicyRef SecPolicyCreateAppleATVVPNProfileSigning(void)
1397 __OSX_AVAILABLE_STARTING(__MAC_10_11, __IPHONE_9_0);
1398
1399 /*!
1400 @function SecPolicyCreateAppleHomeKitServerAuth
1401 @abstract Ensure we're appropriately pinned to the HomeKit service (SSL + Apple restrictions)
1402 @param hostname Required; hostname to verify the certificate name against.
1403 @discussion This policy uses the Basic X.509 policy with validity check
1404 and pinning options:
1405 * The chain is anchored to any of the production Apple Root CAs via full certificate
1406 comparison. Test Apple Root CAs are permitted only on internal releases with defaults write.
1407 * The intermediate has a marker extension with OID 1.2.840.113635.100.6.2.16
1408 * The leaf has a marker extension with OID 1.2.840.113635.100.6.27.9.
1409 * The leaf has the provided hostname in the DNSName of the SubjectAlternativeName
1410 extension or Common Name.
1411 * The leaf is checked against the Black and Gray lists.
1412 * The leaf has ExtendedKeyUsage with the ServerAuth OID.
1413 * Revocation is checked via any available method.
1414 @result A policy object. The caller is responsible for calling CFRelease
1415 on this when it is no longer needed.
1416 */
1417 __nullable CF_RETURNS_RETAINED
1418 SecPolicyRef SecPolicyCreateAppleHomeKitServerAuth(CFStringRef hostname)
1419 __OSX_AVAILABLE_STARTING(__MAC_10_11_4, __IPHONE_9_3);
1420
1421 /*!
1422 @function SecPolicyCreateAppleExternalDeveloper
1423 @abstract Returns a policy object for verifying Apple-issued external developer
1424 certificates.
1425 @discussion The resulting policy uses the Basic X.509 policy with validity check and
1426 pinning options:
1427 * The chain is anchored to any of the production Apple Root CAs. Internal releases allow
1428 the chain to be anchored to Test Apple Root CAs if a defaults write for the policy is set.
1429 * There are exactly 3 certs in the chain.
1430 * The intermediate has a marker extension with OID matching 1.2.840.113635.100.6.2.1
1431 (WWDR CA) or 1.2.840.113635.100.6.2.6 (Developer ID CA).
1432 * The leaf has a marker extension with OID matching one of the following:
1433 * 1.2.840.113635.100.6.1.2 ("iPhone Developer" leaf)
1434 * 1.2.840.113635.100.6.1.4 ("iPhone Distribution" leaf)
1435 * 1.2.840.113635.100.6.1.5 ("Safari Developer" leaf)
1436 * 1.2.840.113635.100.6.1.7 ("3rd Party Mac Developer Application" leaf)
1437 * 1.2.840.113635.100.6.1.8 ("3rd Party Mac Developer Installer" leaf)
1438 * 1.2.840.113635.100.6.1.12 ("Mac Developer" leaf)
1439 * 1.2.840.113635.100.6.1.13 ("Developer ID Application" leaf)
1440 * 1.2.840.113635.100.6.1.14 ("Developer ID Installer" leaf)
1441 * The leaf has an ExtendedKeyUsage OID matching one of the following:
1442 * 1.3.6.1.5.5.7.3.3 (CodeSigning EKU)
1443 * 1.2.840.113635.100.4.8 ("Safari Developer" EKU)
1444 * 1.2.840.113635.100.4.9 ("3rd Party Mac Developer Installer" EKU)
1445 * 1.2.840.113635.100.4.13 ("Developer ID Installer" EKU)
1446 * Revocation is checked via any available method.
1447 * RSA key sizes are 2048-bit or larger. EC key sizes are P-256 or larger.
1448 @result A policy object. The caller is responsible for calling CFRelease on this when
1449 it is no longer needed.
1450 */
1451 __nullable CF_RETURNS_RETAINED
1452 SecPolicyRef SecPolicyCreateAppleExternalDeveloper(void)
1453 __OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
1454
1455 /*!
1456 @function SecPolicyCreateAppleSoftwareSigning
1457 @abstract Returns a policy object for verifying the Apple Software Signing certificate.
1458 @discussion The resulting policy uses the Basic X.509 policy with no validity check and
1459 pinning options:
1460 * The chain is anchored to any of the production Apple Root CAs. Internal releases allow
1461 the chain to be anchored to Test Apple Root CAs if a defaults write for the policy is set.
1462 * There are exactly 3 certs in the chain.
1463 * The intermediate has the Common Name "Apple Code Signing Certification Authority".
1464 * The leaf has a marker extension with OID matching 1.2.840.113635.100.6.22.
1465 * The leaf has an ExtendedKeyUsage OID matching 1.3.6.1.5.5.7.3.3 (Code Signing).
1466 * Revocation is checked via any available method.
1467 * RSA key sizes are 2048-bit or larger. EC key sizes are P-256 or larger.
1468 @result A policy object. The caller is responsible for calling CFRelease on this when
1469 it is no longer needed.
1470 */
1471 __nullable CF_RETURNS_RETAINED
1472 SecPolicyRef SecPolicyCreateAppleSoftwareSigning(void)
1473 __OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
1474
1475 /*!
1476 @function SecPolicyGetName
1477 @abstract Returns a policy's name.
1478 @param policy A policy reference.
1479 @result A policy name.
1480 */
1481 __nullable CFStringRef SecPolicyGetName(SecPolicyRef policy)
1482 __OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
1483
1484 /*!
1485 @function SecPolicyGetOidString
1486 @abstract Returns a policy's oid in string decimal format.
1487 @param policy A policy reference.
1488 @result A policy oid.
1489 */
1490 CFStringRef SecPolicyGetOidString(SecPolicyRef policy)
1491 __OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
1492
1493 /*!
1494 @function SecPolicyCreateAppleUniqueDeviceCertificate
1495 @abstract Returns a policy object for verifying Unique Device Identifier Certificates.
1496 @param testRootHash Optional; The SHA-256 fingerprint of a test root for pinning.
1497 @discussion The resulting policy uses the Basic X.509 policy with no validity check and
1498 pinning options:
1499 * The chain is anchored to the SEP Root CA. Internal releases allow the chain to be
1500 anchored to the testRootHash input if the value true is set for the key
1501 "ApplePinningAllowTestCertsUCRT" in the com.apple.security preferences for the user
1502 of the calling application.
1503 * There are exactly 3 certs in the chain.
1504 * The intermediate has an extension with OID matching 1.2.840.113635.100.6.44 and value
1505 of "ucrt".
1506 * The leaf has a marker extension with OID matching 1.2.840.113635.100.10.1.
1507 * RSA key sizes are disallowed. EC key sizes are P-256 or larger.
1508 @result A policy object. The caller is responsible for calling CFRelease on this when
1509 it is no longer needed.
1510 */
1511 __nullable CF_RETURNS_RETAINED
1512 SecPolicyRef SecPolicyCreateAppleUniqueDeviceCertificate(CFDataRef __nullable testRootHash)
1513 __OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
1514
1515 /*!
1516 @function SecPolicyCreateAppleWarsaw
1517 @abstract Returns a policy object for verifying signed Warsaw assets.
1518 @discussion The resulting policy uses the Basic X.509 policy with validity check and
1519 pinning options:
1520 * The chain is anchored to any of the production Apple Root CAs. Internal releases allow
1521 the chain to be anchored to Test Apple Root CAs if a defaults write for the policy is set.
1522 * There are exactly 3 certs in the chain.
1523 * The intermediate has an extension with OID matching 1.2.840.113635.100.6.2.14.
1524 * The leaf has a marker extension with OID matching 1.2.840.113635.100.6.29.
1525 * RSA key sizes are 2048-bit or larger. EC key sizes are P-256 or larger.
1526 @result A policy object. The caller is responsible for calling CFRelease on this when
1527 it is no longer needed.
1528 */
1529 __nullable CF_RETURNS_RETAINED
1530 SecPolicyRef SecPolicyCreateAppleWarsaw(void)
1531 __OSX_AVAILABLE(10.12.1) __IOS_AVAILABLE(10.1) __TVOS_AVAILABLE(10.0.1) __WATCHOS_AVAILABLE(3.1);
1532
1533 /*!
1534 @function SecPolicyCreateAppleSecureIOStaticAsset
1535 @abstract Returns a policy object for verifying signed static assets for Secure IO.
1536 @discussion The resulting policy uses the Basic X.509 policy with no validity check and
1537 pinning options:
1538 * The chain is anchored to any of the production Apple Root CAs. Internal releases allow
1539 the chain to be anchored to Test Apple Root CAs if a defaults write for the policy is set.
1540 * There are exactly 3 certs in the chain.
1541 * The intermediate has an extension with OID matching 1.2.840.113635.100.6.2.10.
1542 * The leaf has a marker extension with OID matching 1.2.840.113635.100.6.50.
1543 * RSA key sizes are 2048-bit or larger. EC key sizes are P-256 or larger.
1544 @result A policy object. The caller is responsible for calling CFRelease on this when
1545 it is no longer needed.
1546 */
1547 __nullable CF_RETURNS_RETAINED
1548 SecPolicyRef SecPolicyCreateAppleSecureIOStaticAsset(void)
1549 __OSX_AVAILABLE(10.12.1) __IOS_AVAILABLE(10.1) __TVOS_AVAILABLE(10.0.1) __WATCHOS_AVAILABLE(3.1);
1550
1551 /*!
1552 @function SecPolicyCreateAppleiCloudSetupService
1553 @abstract Ensure we're appropriately pinned to the iCloud Setup service (SSL + Apple restrictions)
1554 @param hostname Required; hostname to verify the certificate name against.
1555 @param context Optional; if present, "AppleServerAuthenticationAllowUATiCloudSetup" with value
1556 Boolean true will allow Test Apple roots and test OIDs on internal releases.
1557 @discussion This policy uses the Basic X.509 policy with validity check
1558 and pinning options:
1559 * The chain is anchored to any of the production Apple Root CAs.
1560 * The intermediate has a marker extension with OID 1.2.840.113635.100.6.2.12.
1561 * The leaf has a marker extension with OID 1.2.840.113635.100.6.27.15.2 or, if
1562 enabled, OID 1.2.840.113635.100.6.27.15.1.
1563 * The leaf has the provided hostname in the DNSName of the SubjectAlternativeName
1564 extension or Common Name.
1565 * The leaf has ExtendedKeyUsage with the ServerAuth OID.
1566 * Revocation is checked via any available method.
1567 @result A policy object. The caller is responsible for calling CFRelease
1568 on this when it is no longer needed.
1569 */
1570 __nullable CF_RETURNS_RETAINED
1571 SecPolicyRef SecPolicyCreateAppleiCloudSetupService(CFStringRef hostname, CFDictionaryRef __nullable context)
1572 __OSX_AVAILABLE(10.12.4) __IOS_AVAILABLE(10.3) __TVOS_AVAILABLE(10.2) __WATCHOS_AVAILABLE(3.2);
1573
1574 /*!
1575 @function SecPolicyCreateAppleCompatibilityiCloudSetupService
1576 @abstract Ensure we're appropriately pinned to the iCloud Setup service using compatibility certs
1577 @param hostname Required; hostname to verify the certificate name against.
1578 @discussion This policy uses the Basic X.509 policy with validity check
1579 and pinning options:
1580 * The chain is anchored to the GeoTrust Global CA
1581 * The intermediate has a subject public key info hash matching the public key of
1582 the Apple IST CA G1 intermediate.
1583 * The chain length is 3.
1584 * The leaf has a marker extension with OID 1.2.840.113635.100.6.27.15.2 or
1585 OID 1.2.840.113635.100.6.27.15.1.
1586 * The leaf has the provided hostname in the DNSName of the SubjectAlternativeName
1587 extension or Common Name.
1588 * The leaf is checked against the Black and Gray lists.
1589 * The leaf has ExtendedKeyUsage with the ServerAuth OID.
1590 @result A policy object. The caller is responsible for calling CFRelease
1591 on this when it is no longer needed.
1592 */
1593 __nullable CF_RETURNS_RETAINED
1594 SecPolicyRef SecPolicyCreateAppleCompatibilityiCloudSetupService(CFStringRef hostname)
1595 __OSX_AVAILABLE(10.12.4) __IOS_AVAILABLE(10.3) __TVOS_AVAILABLE(10.2) __WATCHOS_AVAILABLE(3.2);
1596
1597 /*!
1598 @function SecPolicyCreateAppleAppTransportSecurity
1599 @abstract Ensure all certs in the evaluation meet ATS minimums
1600 @discussion This policy is meant to be used alongside an SSL policy in order to enforce App Transport Security certificate rules:
1601 * All certificates use either RSA key sizes of 2048-bits or larger or EC key sizes of 256-bits or larger.
1602 * All certificates use SHA-256 or better for signature hash algorithms.
1603 @result A policy object. The caller is responsible for calling CFRelease
1604 on this when it is no longer needed.
1605 */
1606 __nullable CF_RETURNS_RETAINED
1607 SecPolicyRef SecPolicyCreateAppleAppTransportSecurity(void)
1608 __OSX_AVAILABLE(10.13) __IOS_AVAILABLE(11.0) __TVOS_AVAILABLE(11.0) __WATCHOS_AVAILABLE(4.0);
1609
1610 /*!
1611 @function SecPolicyCreateMobileSoftwareUpdate
1612 @abstract Returns a policy object for evaluating certificate chains for signing Mobile Software Updates.
1613 @discussion This policy uses the Basic X.509 policy with no validity check
1614 and pinning options:
1615 * The chain is anchored to any of the production Apple Root CAs. Internal releases allow
1616 the chain to be anchored to Test Apple Root CAs if a defaults write for the policy is set.
1617 * There are exactly 3 certs in the chain.
1618 * The intermediate has a marker extension with OID 1.2.840.113635.100.6.2.18.
1619 * The leaf has a marker extension with OID 1.2.840.113635.100.6.57.2, or on internal releases,
1620 1.2.840.113635.100.6.57.1.
1621 * RSA key sizes are 2048-bit or larger. EC key sizes are P-256 or larger.
1622 @result A policy object. The caller is responsible for calling CFRelease
1623 on this when it is no longer needed.
1624 */
1625 __nullable CF_RETURNS_RETAINED
1626 SecPolicyRef SecPolicyCreateMobileSoftwareUpdate(void)
1627 __OSX_AVAILABLE(10.13) __IOS_AVAILABLE(11.0) __TVOS_AVAILABLE(11.0) __WATCHOS_AVAILABLE(4.0);
1628
1629 /*!
1630 @function SecPolicyCreateAppleBasicAttestationSystem
1631 @abstract Returns a policy object for verifying Basic Attestation Authority SCRT-attested certs
1632 @param testRootHash Optional; The SHA-256 fingerprint of a test root for pinning.
1633 @discussion The resulting policy uses the Basic X.509 policy with validity check and
1634 pinning options:
1635 * The chain is anchored to the Basic Attestation System Root CA.
1636 * There are exactly 3 certs in the chain.
1637 @result A policy object. The caller is responsible for calling CFRelease on this when
1638 it is no longer needed.
1639 */
1640 __nullable CF_RETURNS_RETAINED
1641 SecPolicyRef SecPolicyCreateAppleBasicAttestationSystem(CFDataRef __nullable testRootHash)
1642 __OSX_AVAILABLE(10.13) __IOS_AVAILABLE(11.0) __TVOS_AVAILABLE(11.0) __WATCHOS_AVAILABLE(4.0);
1643
1644 /*!
1645 @function SecPolicyCreateAppleBasicAttestationUser
1646 @abstract Returns a policy object for verifying Basic Attestation Authority UCRT-attested certs
1647 @param testRootHash Optional; The SHA-256 fingerprint of a test root for pinning.
1648 @discussion The resulting policy uses the Basic X.509 policy with validity check and
1649 pinning options:
1650 * The chain is anchored to the Basic Attestation User Root CA.
1651 * There are exactly 3 certs in the chain.
1652 @result A policy object. The caller is responsible for calling CFRelease on this when
1653 it is no longer needed.
1654 */
1655 __nullable CF_RETURNS_RETAINED
1656 SecPolicyRef SecPolicyCreateAppleBasicAttestationUser(CFDataRef __nullable testRootHash)
1657 __OSX_AVAILABLE(10.13) __IOS_AVAILABLE(11.0) __TVOS_AVAILABLE(11.0) __WATCHOS_AVAILABLE(4.0);
1658
1659 /*!
1660 @function SecPolicyCreateiAPSWAuth
1661 @abstract Returns a policy object for verifying iAP Software Auth certificates
1662 @discussion The resulting policy uses the Basic X.509 policy with no validity check
1663 and pinning options:
1664 * There are exactly 2 certs in the chain.
1665 * The leaf has a marker extension with OID 1.2.840.113635.100.6.59.1
1666 The intended use of this policy is that the caller pass in the
1667 SW Auth root to SecTrustSetAnchorCertificates().
1668 @result A policy object. The caller is responsible for calling CFRelease on this when
1669 it is no longer needed.
1670 */
1671 __nullable CF_RETURNS_RETAINED
1672 SecPolicyRef SecPolicyCreateiAPSWAuth(void)
1673 __OSX_AVAILABLE(10.13.4) __IOS_AVAILABLE(11.3) __TVOS_AVAILABLE(11.3) __WATCHOS_AVAILABLE(4.3);
1674
1675 /*!
1676 @function SecPolicyCreateDemoDigitalCatalog
1677 @abstract Returns a policy object for evaluating certificate chains for signing Digital
1678 Catalog manifests for Demo units.
1679 @discussion This policy uses the Basic X.509 policy with validity check and
1680 pinning options:
1681 * There are exactly 3 certs in the chain.
1682 * The intermediate has common name "DemoUnit CA"
1683 * The leaf has a marker extension with OID 1.2.840.113635.100.6.60
1684 @result A policy object. The caller is responsible for calling CFRelease
1685 on this when it is no longer needed.
1686 */
1687 __nullable CF_RETURNS_RETAINED
1688 SecPolicyRef SecPolicyCreateDemoDigitalCatalogSigning(void)
1689 __OSX_AVAILABLE(10.13.4) __IOS_AVAILABLE(11.3) __TVOS_AVAILABLE(11.3) __WATCHOS_AVAILABLE(4.3);
1690
1691 /*!
1692 @function SecPolicyCreateAppleAssetReceipt
1693 @abstract Returns a policy object for evaluating certificate chains for signing Asset Receipts
1694 @discussion This policy uses the Basic X.509 policy with no validity check
1695 and pinning options:
1696 * The chain is anchored to any of the production Apple Root CAs. Internal releases allow
1697 the chain to be anchored to Test Apple Root CAs if a defaults write for the policy is set.
1698 * There are exactly 3 certs in the chain.
1699 * The intermediate has a marker extension with OID 1.2.840.113635.100.6.2.10.
1700 * The leaf has a marker extension with OID 1.2.840.113635.100.6.61.
1701 * RSA key sizes are 2048-bit or larger. EC key sizes are P-256 or larger.
1702 @result A policy object. The caller is responsible for calling CFRelease
1703 on this when it is no longer needed.
1704 */
1705 __nullable CF_RETURNS_RETAINED
1706 SecPolicyRef SecPolicyCreateAppleAssetReceipt(void)
1707 API_AVAILABLE(macos(10.14), ios(12.0), watchos(5.0), tvos(12.0));
1708
1709 /*!
1710 @function SecPolicyCreateAppleDeveloperIDPlustTicket
1711 @abstract Returns a policy object for evaluating certificate chains for signing Developer ID+ Tickets
1712 @discussion This policy uses the Basic X.509 policy with no validity check
1713 and pinning options:
1714 * The chain is anchored to any of the production Apple Root CAs.
1715 * There are exactly 3 certs in the chain.
1716 * The intermediate has a marker extension with OID 1.2.840.113635.100.6.2.17.
1717 * The leaf has a marker extension with OID 1.2.840.113635.100.6.1.30.
1718 * RSA key sizes are 2048-bit or larger. EC key sizes are P-256 or larger.
1719 @result A policy object. The caller is responsible for calling CFRelease
1720 on this when it is no longer needed.
1721 */
1722 __nullable CF_RETURNS_RETAINED
1723 SecPolicyRef SecPolicyCreateAppleDeveloperIDPlusTicket(void)
1724 API_AVAILABLE(macos(10.14), ios(12.0), watchos(5.0), tvos(12.0));
1725
1726 /*!
1727 @function SecPolicyCreateiAPSWAuthWithExpiration
1728 @abstract Returns a policy object for verifying iAP Software Auth certificates
1729 @param checkExpiration Determines whether the policy checks expiration on the certificates
1730 @discussion The resulting policy uses the Basic X.509 policy and pinning options:
1731 * There are exactly 2 certs in the chain.
1732 * The leaf has a marker extension with OID 1.2.840.113635.100.6.59.1
1733 The intended use of this policy is that the caller pass in the
1734 SW Auth root to SecTrustSetAnchorCertificates().
1735 @result A policy object. The caller is responsible for calling CFRelease on this when
1736 it is no longer needed.
1737 */
1738 __nullable CF_RETURNS_RETAINED
1739 SecPolicyRef SecPolicyCreateiAPSWAuthWithExpiration(bool checkExpiration)
1740 API_AVAILABLE(macos(10.14), ios(12.0), watchos(5.0), tvos(12.0));
1741
1742 /*!
1743 @function SecPolicyCreateAppleFDRProvisioning
1744 @abstract Returns a policy object for verifying FDR Provisioning certificates
1745 @discussion The resulting policy uses the Basic X.509 policy with no validity check.
1746 The intended use of this policy is that the caller pass in the FDR root to SecTrustSetAnchorCertificates().
1747 @result A policy object. The caller is responsible for calling CFRelease on this when
1748 it is no longer needed.
1749 */
1750 __nullable CF_RETURNS_RETAINED
1751 SecPolicyRef SecPolicyCreateAppleFDRProvisioning(void)
1752 API_AVAILABLE(macos(10.14), ios(12.0), watchos(5.0), tvos(12.0));
1753
1754 /*
1755 * Legacy functions (OS X only)
1756 */
1757 #if TARGET_OS_MAC && !TARGET_OS_IPHONE
1758
1759 /*!
1760 @function SecPolicyCopy
1761 @abstract Returns a copy of a policy reference based on certificate type and OID.
1762 @param certificateType A certificate type.
1763 @param policyOID The OID of the policy you want to find. This is a required parameter. See oidsalg.h to see a list of policy OIDs.
1764 @param policy The returned policy reference. This is a required parameter.
1765 @result A result code. See "Security Error Codes" (SecBase.h).
1766 @discussion This function is deprecated in Mac OS X 10.7 and later;
1767 to obtain a policy reference, use one of the SecPolicyCreate* functions in SecPolicy.h.
1768 */
1769 OSStatus SecPolicyCopy(CSSM_CERT_TYPE certificateType, const CSSM_OID *policyOID, SecPolicyRef * __nonnull CF_RETURNS_RETAINED policy)
1770 __OSX_AVAILABLE_BUT_DEPRECATED(__MAC_10_3, __MAC_10_7, __IPHONE_NA, __IPHONE_NA);
1771
1772 /*!
1773 @function SecPolicyCopyAll
1774 @abstract Returns an array of all known policies based on certificate type.
1775 @param certificateType A certificate type. This is a optional parameter. Pass CSSM_CERT_UNKNOWN if the certificate type is unknown.
1776 @param policies The returned array of policies. This is a required parameter.
1777 @result A result code. See "Security Error Codes" (SecBase.h).
1778 @discussion This function is deprecated in Mac OS X 10.7 and later;
1779 to obtain a policy reference, use one of the SecPolicyCreate* functions in SecPolicy.h. (Note: there is normally
1780 no reason to iterate over multiple disjointed policies, except to provide a way to edit trust settings for each
1781 policy, as is done in certain certificate UI views. In that specific case, your code should call SecPolicyCreateWithOID
1782 for each desired policy from the list of supported OID constants in SecPolicy.h.)
1783 */
1784 OSStatus SecPolicyCopyAll(CSSM_CERT_TYPE certificateType, CFArrayRef * __nonnull CF_RETURNS_RETAINED policies)
1785 __OSX_AVAILABLE_BUT_DEPRECATED(__MAC_10_3, __MAC_10_7, __IPHONE_NA, __IPHONE_NA);
1786
1787 /* Given a unified SecPolicyRef, return a copy with a legacy
1788 C++ ItemImpl-based Policy instance. Only for internal use;
1789 legacy references cannot be used by SecPolicy API functions. */
1790 __nullable CF_RETURNS_RETAINED
1791 SecPolicyRef SecPolicyCreateItemImplInstance(SecPolicyRef policy);
1792
1793 /* Given a CSSM_OID pointer, return a string which can be passed
1794 to SecPolicyCreateWithProperties. The return value can be NULL
1795 if no supported policy was found for the OID argument. */
1796 __nullable
1797 CFStringRef SecPolicyGetStringForOID(CSSM_OID* oid)
1798 API_DEPRECATED("No longer supported", macos(10.5,10.14));
1799
1800 /*!
1801 @function SecPolicyCreateAppleTimeStampingAndRevocationPolicies
1802 @abstract Create timeStamping policy array from a given set of policies by applying identical revocation behavior
1803 @param policyOrArray can be a SecPolicyRef or a CFArray of SecPolicyRef
1804 @discussion This function is deprecated in macOS 10.13 and later. Your code should call SecPolicyCreateAppleTimeStamping
1805 and SecPolicyCreateRevocation instead to obtain these policies, then insert them into an array as needed.
1806 */
1807 __nullable CF_RETURNS_RETAINED
1808 CFArrayRef SecPolicyCreateAppleTimeStampingAndRevocationPolicies(CFTypeRef policyOrArray)
1809 __OSX_AVAILABLE_BUT_DEPRECATED(__MAC_10_10, __MAC_10_13, __IPHONE_NA, __IPHONE_NA);
1810
1811 #endif /* TARGET_OS_MAC && !TARGET_OS_IPHONE */
1812
1813 /* MARK: WARNING: The following constants and functions are for project use
1814 * within the Security project and are subject to change without warning */
1815
1816 /*!
1817 @enum Policy Check Keys
1818 @discussion Keys that represent various checks that can be done in a trust
1819 policy. Use outside of the Security project at your own peril.
1820 */
1821 extern const CFStringRef kSecPolicyCheckAnchorApple;
1822 extern const CFStringRef kSecPolicyCheckAnchorSHA1;
1823 extern const CFStringRef kSecPolicyCheckAnchorSHA256;
1824 extern const CFStringRef kSecPolicyCheckAnchorTrusted;
1825 extern const CFStringRef kSecPolicyCheckBasicCertificateProcessing;
1826 extern const CFStringRef kSecPolicyCheckBasicConstraints;
1827 extern const CFStringRef kSecPolicyCheckBasicConstraintsCA;
1828 extern const CFStringRef kSecPolicyCheckBasicConstraintsPathLen;
1829 extern const CFStringRef kSecPolicyCheckBlackListedKey;
1830 extern const CFStringRef kSecPolicyCheckBlackListedLeaf;
1831 extern const CFStringRef kSecPolicyCheckCertificatePolicy;
1832 extern const CFStringRef kSecPolicyCheckChainLength;
1833 extern const CFStringRef kSecPolicyCheckCriticalExtensions;
1834 extern const CFStringRef kSecPolicyCheckEAPTrustedServerNames;
1835 extern const CFStringRef kSecPolicyCheckEmail;
1836 extern const CFStringRef kSecPolicyCheckExtendedKeyUsage;
1837 extern const CFStringRef kSecPolicyCheckExtendedValidation;
1838 extern const CFStringRef kSecPolicyCheckGrayListedKey;
1839 extern const CFStringRef kSecPolicyCheckGrayListedLeaf;
1840 extern const CFStringRef kSecPolicyCheckIdLinkage;
1841 extern const CFStringRef kSecPolicyCheckIntermediateCountry;
1842 extern const CFStringRef kSecPolicyCheckIntermediateEKU;
1843 extern const CFStringRef kSecPolicyCheckIntermediateMarkerOid;
1844 extern const CFStringRef kSecPolicyCheckIntermediateOrganization;
1845 extern const CFStringRef kSecPolicyCheckIntermediateSPKISHA256;
1846 extern const CFStringRef kSecPolicyCheckIssuerCommonName;
1847 extern const CFStringRef kSecPolicyCheckKeySize;
1848 extern const CFStringRef kSecPolicyCheckKeyUsage;
1849 extern const CFStringRef kSecPolicyCheckLeafMarkerOid;
1850 extern const CFStringRef kSecPolicyCheckLeafMarkerOidWithoutValueCheck;
1851 extern const CFStringRef kSecPolicyCheckLeafMarkersProdAndQA;
1852 extern const CFStringRef kSecPolicyCheckMissingIntermediate;
1853 extern const CFStringRef kSecPolicyCheckNameConstraints;
1854 extern const CFStringRef kSecPolicyCheckNoNetworkAccess;
1855 extern const CFStringRef kSecPolicyCheckNonEmptySubject;
1856 extern const CFStringRef kSecPolicyCheckNotValidBefore;
1857 extern const CFStringRef kSecPolicyCheckPinningRequired;
1858 extern const CFStringRef kSecPolicyCheckPolicyConstraints;
1859 extern const CFStringRef kSecPolicyCheckRevocation;
1860 extern const CFStringRef kSecPolicyCheckRevocationIfTrusted;
1861 extern const CFStringRef kSecPolicyCheckRevocationOnline;
1862 extern const CFStringRef kSecPolicyCheckRevocationResponseRequired;
1863 extern const CFStringRef kSecPolicyCheckSSLHostname;
1864 extern const CFStringRef kSecPolicyCheckSignatureHashAlgorithms;
1865 extern const CFStringRef kSecPolicyCheckSubjectCommonName;
1866 extern const CFStringRef kSecPolicyCheckSubjectCommonNamePrefix;
1867 extern const CFStringRef kSecPolicyCheckSubjectCommonNameTEST;
1868 extern const CFStringRef kSecPolicyCheckSubjectOrganization;
1869 extern const CFStringRef kSecPolicyCheckSubjectOrganizationalUnit;
1870 extern const CFStringRef kSecPolicyCheckSystemTrustedWeakHash;
1871 extern const CFStringRef kSecPolicyCheckSystemTrustedWeakKey;
1872 extern const CFStringRef kSecPolicyCheckTemporalValidity;
1873 extern const CFStringRef kSecPolicyCheckUsageConstraints;
1874 extern const CFStringRef kSecPolicyCheckValidRoot;
1875 extern const CFStringRef kSecPolicyCheckWeakKeySize;
1876 extern const CFStringRef kSecPolicyCheckWeakSignature;
1877 extern const CFStringRef kSecPolicyCheckCTRequired;
1878
1879 /* Special option for checking Apple Anchors */
1880 extern const CFStringRef kSecPolicyAppleAnchorIncludeTestRoots;
1881
1882 /* Special option for checking Prod and QA Markers */
1883 extern const CFStringRef kSecPolicyLeafMarkerProd;
1884 extern const CFStringRef kSecPolicyLeafMarkerQA;
1885
1886 /* Special option for checking Revocation */
1887 extern const CFStringRef kSecPolicyCheckRevocationOCSP;
1888 extern const CFStringRef kSecPolicyCheckRevocationCRL;
1889 extern const CFStringRef kSecPolicyCheckRevocationAny;
1890
1891 /* Policy Names */
1892 extern const CFStringRef kSecPolicyNameX509Basic;
1893 extern const CFStringRef kSecPolicyNameSSLServer;
1894 extern const CFStringRef kSecPolicyNameSSLClient;
1895 extern const CFStringRef kSecPolicyNameEAPServer;
1896 extern const CFStringRef kSecPolicyNameEAPClient;
1897 extern const CFStringRef kSecPolicyNameIPSecServer;
1898 extern const CFStringRef kSecPolicyNameIPSecClient;
1899 extern const CFStringRef kSecPolicyNameSMIME;
1900 extern const CFStringRef kSecPolicyNameCodeSigning;
1901 extern const CFStringRef kSecPolicyNameTimeStamping;
1902 extern const CFStringRef kSecPolicyNameOCSPSigner;
1903
1904 /*
1905 * MARK: SecPolicyCheckCert functions
1906 */
1907 bool SecPolicyCheckCertSSLHostname(SecCertificateRef cert, CFTypeRef pvcValue);
1908 bool SecPolicyCheckCertEmail(SecCertificateRef cert, CFTypeRef pvcValue);
1909 bool SecPolicyCheckCertTemporalValidity(SecCertificateRef cert, CFTypeRef pvcValue);
1910 bool SecPolicyCheckCertWeakKeySize(SecCertificateRef cert, CFTypeRef __nullable pvcValue);
1911 bool SecPolicyCheckCertKeyUsage(SecCertificateRef cert, CFTypeRef pvcValue);
1912 bool SecPolicyCheckCertExtendedKeyUsage(SecCertificateRef cert, CFTypeRef pvcValue);
1913 bool SecPolicyCheckCertSubjectCommonName(SecCertificateRef cert, CFTypeRef pvcValue);
1914 bool SecPolicyCheckCertSubjectCommonNamePrefix(SecCertificateRef cert, CFTypeRef pvcValue);
1915 bool SecPolicyCheckCertSubjectCommonNameTEST(SecCertificateRef cert, CFTypeRef pvcValue);
1916 bool SecPolicyCheckCertSubjectOrganization(SecCertificateRef cert, CFTypeRef pvcValue);
1917 bool SecPolicyCheckCertSubjectOrganizationalUnit(SecCertificateRef cert, CFTypeRef pvcValue);
1918 bool SecPolicyCheckCertNotValidBefore(SecCertificateRef cert, CFTypeRef pvcValue);
1919 bool SecPolicyCheckCertEAPTrustedServerNames(SecCertificateRef cert, CFTypeRef pvcValue);
1920 bool SecPolicyCheckCertLeafMarkerOid(SecCertificateRef cert, CFTypeRef pvcValue);
1921 bool SecPolicyCheckCertLeafMarkerOidWithoutValueCheck(SecCertificateRef cert, CFTypeRef pvcValue);
1922 bool SecPolicyCheckCertLeafMarkersProdAndQA(SecCertificateRef cert, CFTypeRef pvcValue);
1923 bool SecPolicyCheckCertNonEmptySubject(SecCertificateRef cert, CFTypeRef __nullable pvcValue);
1924 bool SecPolicyCheckCertKeySize(SecCertificateRef cert, CFTypeRef pvcValue);
1925 bool SecPolicyCheckCertWeakSignature(SecCertificateRef cert, CFTypeRef __nullable pvcValue);
1926 bool SecPolicyCheckCertSignatureHashAlgorithms(SecCertificateRef cert, CFTypeRef pvcValue);
1927 bool SecPolicyCheckCertCertificatePolicy(SecCertificateRef cert, CFTypeRef pvcValue);
1928 bool SecPolicyCheckCertCriticalExtensions(SecCertificateRef cert, CFTypeRef __nullable pvcValue);
1929 bool SecPolicyCheckCertSubjectCountry(SecCertificateRef cert, CFTypeRef pvcValue);
1930
1931 void SecPolicySetName(SecPolicyRef policy, CFStringRef policyName);
1932 __nullable CFArrayRef SecPolicyXPCArrayCopyArray(xpc_object_t xpc_policies, CFErrorRef *error);
1933
1934 void SecPolicySetOptionsValue(SecPolicyRef policy, CFStringRef key, CFTypeRef value);
1935
1936 CF_IMPLICIT_BRIDGING_DISABLED
1937 CF_ASSUME_NONNULL_END
1938
1939 __END_DECLS
1940
1941 #endif /* !_SECURITY_SECPOLICYPRIV_H_ */