]> git.saurik.com Git - apple/security.git/blob - trust/SecPolicy.h
Security-58286.60.28.tar.gz
[apple/security.git] / trust / SecPolicy.h
1 /*
2 * Copyright (c) 2002-2016 Apple Inc. All Rights Reserved.
3 *
4 * @APPLE_LICENSE_HEADER_START@
5 *
6 * This file contains Original Code and/or Modifications of Original Code
7 * as defined in and that are subject to the Apple Public Source License
8 * Version 2.0 (the 'License'). You may not use this file except in
9 * compliance with the License. Please obtain a copy of the License at
10 * http://www.opensource.apple.com/apsl/ and read it before using this
11 * file.
12 *
13 * The Original Code and all software distributed under the License are
14 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
15 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
16 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
17 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
18 * Please see the License for the specific language governing rights and
19 * limitations under the License.
20 *
21 * @APPLE_LICENSE_HEADER_END@
22 */
23
24 /*!
25 @header SecPolicy
26 The functions provided in SecPolicy.h provide an interface to various
27 X.509 certificate trust policies.
28 */
29
30 #ifndef _SECURITY_SECPOLICY_H_
31 #define _SECURITY_SECPOLICY_H_
32
33 #include <CoreFoundation/CFBase.h>
34 #include <CoreFoundation/CFDictionary.h>
35 #include <Security/SecBase.h>
36
37 __BEGIN_DECLS
38
39 CF_ASSUME_NONNULL_BEGIN
40 CF_IMPLICIT_BRIDGING_ENABLED
41
42 /*!
43 @enum Policy Constants
44 @discussion Predefined constants used to specify a policy.
45 @constant kSecPolicyAppleX509Basic
46 @constant kSecPolicyAppleSSL
47 @constant kSecPolicyAppleSMIME
48 @constant kSecPolicyAppleEAP
49 @constant kSecPolicyAppleiChat
50 @constant kSecPolicyAppleIPsec
51 @constant kSecPolicyApplePKINITClient
52 @constant kSecPolicyApplePKINITServer
53 @constant kSecPolicyAppleCodeSigning
54 @constant kSecPolicyMacAppStoreReceipt
55 @constant kSecPolicyAppleIDValidation
56 @constant kSecPolicyAppleTimeStamping
57 @constant kSecPolicyAppleRevocation
58 @constant kSecPolicyApplePassbookSigning
59 @constant kSecPolicyApplePayIssuerEncryption
60 */
61 extern const CFStringRef kSecPolicyAppleX509Basic
62 __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_7_0);
63 extern const CFStringRef kSecPolicyAppleSSL
64 __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_7_0);
65 extern const CFStringRef kSecPolicyAppleSMIME
66 __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_7_0);
67 extern const CFStringRef kSecPolicyAppleEAP
68 __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_7_0);
69 extern const CFStringRef kSecPolicyAppleIPsec
70 __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_7_0);
71 #if TARGET_OS_OSX
72 extern const CFStringRef kSecPolicyAppleiChat
73 __OSX_AVAILABLE_BUT_DEPRECATED(__MAC_10_7, __MAC_10_9, __IPHONE_NA, __IPHONE_NA);
74 #endif
75 extern const CFStringRef kSecPolicyApplePKINITClient
76 __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA);
77 extern const CFStringRef kSecPolicyApplePKINITServer
78 __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA);
79 extern const CFStringRef kSecPolicyAppleCodeSigning
80 __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_7_0);
81 extern const CFStringRef kSecPolicyMacAppStoreReceipt
82 __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_9_0);
83 extern const CFStringRef kSecPolicyAppleIDValidation
84 __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_7_0);
85 extern const CFStringRef kSecPolicyAppleTimeStamping
86 __OSX_AVAILABLE_STARTING(__MAC_10_8, __IPHONE_7_0);
87 extern const CFStringRef kSecPolicyAppleRevocation
88 __OSX_AVAILABLE_STARTING(__MAC_10_9, __IPHONE_7_0);
89 extern const CFStringRef kSecPolicyApplePassbookSigning
90 __OSX_AVAILABLE_STARTING(__MAC_10_9, __IPHONE_7_0);
91 extern const CFStringRef kSecPolicyApplePayIssuerEncryption
92 __OSX_AVAILABLE_STARTING(__MAC_10_11, __IPHONE_9_0);
93
94 /*!
95 @enum Policy Value Constants
96 @abstract Predefined property key constants used to get or set values in
97 a dictionary for a policy instance.
98 @discussion
99 All policies will have the following read-only value:
100 kSecPolicyOid (the policy object identifier)
101
102 Additional policy values which your code can optionally set:
103 kSecPolicyName (name which must be matched)
104 kSecPolicyClient (evaluate for client, rather than server)
105 kSecPolicyRevocationFlags (only valid for a revocation policy)
106 kSecPolicyTeamIdentifier (only valid for a Passbook signing policy)
107
108 @constant kSecPolicyOid Specifies the policy OID (value is a CFStringRef)
109 @constant kSecPolicyName Specifies a CFStringRef (or CFArrayRef of same)
110 containing a name which must be matched in the certificate to satisfy
111 this policy. For SSL/TLS, EAP, and IPSec policies, this specifies the
112 server name which must match the common name of the certificate.
113 For S/MIME, this specifies the RFC822 email address. For Passbook
114 signing, this specifies the pass signer.
115 @constant kSecPolicyClient Specifies a CFBooleanRef value that indicates
116 this evaluation should be for a client certificate. If not set (or
117 false), the policy evaluates the certificate as a server certificate.
118 @constant kSecPolicyRevocationFlags Specifies a CFNumberRef that holds a
119 kCFNumberCFIndexType bitmask value. See "Revocation Policy Constants"
120 for a description of individual bits in this value.
121 @constant kSecPolicyTeamIdentifier Specifies a CFStringRef containing a
122 team identifier which must be matched in the certificate to satisfy
123 this policy. For the Passbook signing policy, this string must match
124 the Organizational Unit field of the certificate subject.
125 */
126 extern const CFStringRef kSecPolicyOid
127 __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_7_0);
128 extern const CFStringRef kSecPolicyName
129 __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_7_0);
130 extern const CFStringRef kSecPolicyClient
131 __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_7_0);
132 extern const CFStringRef kSecPolicyRevocationFlags
133 __OSX_AVAILABLE_STARTING(__MAC_10_9, __IPHONE_7_0);
134 extern const CFStringRef kSecPolicyTeamIdentifier
135 __OSX_AVAILABLE_STARTING(__MAC_10_9, __IPHONE_7_0);
136
137
138 /*!
139 @function SecPolicyGetTypeID
140 @abstract Returns the type identifier of SecPolicy instances.
141 @result The CFTypeID of SecPolicy instances.
142 */
143 CFTypeID SecPolicyGetTypeID(void)
144 __OSX_AVAILABLE_STARTING(__MAC_10_3, __IPHONE_2_0);
145
146 /*!
147 @function SecPolicyCopyProperties
148 @abstract Returns a dictionary of this policy's properties.
149 @param policyRef A policy reference.
150 @result A properties dictionary. See "Policy Value Constants" for a list
151 of currently defined property keys. It is the caller's responsibility to
152 CFRelease this reference when it is no longer needed.
153 @result A result code. See "Security Error Codes" (SecBase.h).
154 @discussion This function returns the properties for a policy, as set by the
155 policy's construction function or by a prior call to SecPolicySetProperties.
156 */
157 __nullable
158 CFDictionaryRef SecPolicyCopyProperties(SecPolicyRef policyRef)
159 __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_7_0);
160
161 /*!
162 @function SecPolicyCreateBasicX509
163 @abstract Returns a policy object for the default X.509 policy.
164 @result A policy object. The caller is responsible for calling CFRelease
165 on this when it is no longer needed.
166 */
167 SecPolicyRef SecPolicyCreateBasicX509(void)
168 __OSX_AVAILABLE_STARTING(__MAC_10_6, __IPHONE_2_0);
169
170 /*!
171 @function SecPolicyCreateSSL
172 @abstract Returns a policy object for evaluating SSL certificate chains.
173 @param server Passing true for this parameter creates a policy for SSL
174 server certificates.
175 @param hostname (Optional) If present, the policy will require the specified
176 hostname to match the hostname in the leaf certificate.
177 @result A policy object. The caller is responsible for calling CFRelease
178 on this when it is no longer needed.
179 */
180 SecPolicyRef SecPolicyCreateSSL(Boolean server, CFStringRef __nullable hostname)
181 __OSX_AVAILABLE_STARTING(__MAC_10_6, __IPHONE_2_0);
182
183 /*!
184 @enum Revocation Policy Constants
185 @abstract Predefined constants which allow you to specify how revocation
186 checking will be performed for a trust evaluation.
187 @constant kSecRevocationOCSPMethod If this flag is set, perform revocation
188 checking using OCSP (Online Certificate Status Protocol).
189 @constant kSecRevocationCRLMethod If this flag is set, perform revocation
190 checking using the CRL (Certificate Revocation List) method.
191 @constant kSecRevocationPreferCRL If this flag is set, then CRL revocation
192 checking will be preferred over OCSP (by default, OCSP is preferred.)
193 Note that this flag only matters if both revocation methods are specified.
194 @constant kSecRevocationRequirePositiveResponse If this flag is set, then
195 the policy will fail unless a verified positive response is obtained. If
196 the flag is not set, revocation checking is done on a "best attempt" basis,
197 where failure to reach the server is not considered fatal.
198 @constant kSecRevocationNetworkAccessDisabled If this flag is set, then
199 no network access is performed; only locally cached replies are consulted.
200 @constant kSecRevocationUseAnyAvailableMethod Specifies that either
201 OCSP or CRL may be used, depending on the method(s) specified in the
202 certificate and the value of kSecRevocationPreferCRL.
203 */
204 CF_ENUM(CFOptionFlags) {
205 kSecRevocationOCSPMethod = (1 << 0),
206 kSecRevocationCRLMethod = (1 << 1),
207 kSecRevocationPreferCRL = (1 << 2),
208 kSecRevocationRequirePositiveResponse = (1 << 3),
209 kSecRevocationNetworkAccessDisabled = (1 << 4),
210 kSecRevocationUseAnyAvailableMethod = (kSecRevocationOCSPMethod |
211 kSecRevocationCRLMethod)
212 };
213
214 /*!
215 @function SecPolicyCreateRevocation
216 @abstract Returns a policy object for checking revocation of certificates.
217 @result A policy object. The caller is responsible for calling CFRelease
218 on this when it is no longer needed.
219 @param revocationFlags Flags to specify revocation checking options.
220 @discussion Use this function to create a revocation policy with behavior
221 specified by revocationFlags. See the "Revocation Policy Constants" section
222 for a description of these flags. Note: it is usually not necessary to
223 create a revocation policy yourself unless you wish to override default
224 system behavior (e.g. to force a particular method, or to disable
225 revocation checking entirely.)
226 */
227 __nullable
228 SecPolicyRef SecPolicyCreateRevocation(CFOptionFlags revocationFlags)
229 __OSX_AVAILABLE_STARTING(__MAC_10_9, __IPHONE_7_0);
230
231 /*!
232 @function SecPolicyCreateWithProperties
233 @abstract Returns a policy object based on an object identifier for the
234 policy type. See the "Policy Constants" section for a list of defined
235 policy object identifiers.
236 @param policyIdentifier The identifier for the desired policy type.
237 @param properties (Optional) A properties dictionary. See "Policy Value
238 Constants" for a list of currently defined property keys.
239 @result The returned policy reference, or NULL if the policy could not be
240 created.
241 */
242 __nullable
243 SecPolicyRef SecPolicyCreateWithProperties(CFTypeRef policyIdentifier,
244 CFDictionaryRef __nullable properties)
245 __OSX_AVAILABLE_STARTING(__MAC_10_9, __IPHONE_7_0);
246
247 CF_IMPLICIT_BRIDGING_DISABLED
248 CF_ASSUME_NONNULL_END
249
250 /*
251 * Legacy functions (OS X only)
252 */
253 #if TARGET_OS_MAC && !TARGET_OS_IPHONE
254 #include <Security/cssmtype.h>
255
256 CF_ASSUME_NONNULL_BEGIN
257 CF_IMPLICIT_BRIDGING_ENABLED
258
259 /*!
260 @enum Policy Value Constants (OS X)
261 @discussion Predefined property key constants used to get or set values in
262 a dictionary for a policy instance.
263
264 Some policy values may specify CFBooleanRef key usage constraints:
265 kSecPolicyKU_DigitalSignature
266 kSecPolicyKU_NonRepudiation
267 kSecPolicyKU_KeyEncipherment
268 kSecPolicyKU_DataEncipherment
269 kSecPolicyKU_KeyAgreement
270 kSecPolicyKU_KeyCertSign
271 kSecPolicyKU_CRLSign
272 kSecPolicyKU_EncipherOnly
273 kSecPolicyKU_DecipherOnly
274
275 kSecPolicyKU policy values define certificate-level key purposes,
276 in contrast to the key-level definitions in SecItem.h
277
278 For example, a key in a certificate might be acceptable to use for
279 signing a CRL, but not for signing another certificate. In either
280 case, this key would have the ability to sign (i.e. kSecAttrCanSign
281 is true), but may only sign for specific purposes allowed by these
282 policy constants. Similarly, a public key might have the capability
283 to perform encryption or decryption, but the certificate in which it
284 resides might have a decipher-only certificate policy.
285
286 These constants correspond to values defined in RFC 5280, section
287 4.2.1.3 (Key Usage) which define the purpose of a key contained in a
288 certificate, in contrast to section 4.1.2.7 which define the uses that
289 a key is capable of.
290
291 Note: these constants are not available on iOS. Your code should
292 avoid direct reliance on these values for making policy decisions
293 and use higher level policies where possible.
294
295 @constant kSecPolicyKU_DigitalSignature Specifies that the certificate must
296 have a key usage that allows it to be used for signing.
297 @constant kSecPolicyKU_NonRepudiation Specifies that the certificate must
298 have a key usage that allows it to be used for non-repudiation.
299 @constant kSecPolicyKU_KeyEncipherment Specifies that the certificate must
300 have a key usage that allows it to be used for key encipherment.
301 @constant kSecPolicyKU_DataEncipherment Specifies that the certificate must
302 have a key usage that allows it to be used for data encipherment.
303 @constant kSecPolicyKU_KeyAgreement Specifies that the certificate must
304 have a key usage that allows it to be used for key agreement.
305 @constant kSecPolicyKU_KeyCertSign Specifies that the certificate must
306 have a key usage that allows it to be used for signing certificates.
307 @constant kSecPolicyKU_CRLSign Specifies that the certificate must
308 have a key usage that allows it to be used for signing CRLs.
309 @constant kSecPolicyKU_EncipherOnly Specifies that the certificate must
310 have a key usage that permits it to be used for encryption only.
311 @constant kSecPolicyKU_DecipherOnly Specifies that the certificate must
312 have a key usage that permits it to be used for decryption only.
313 */
314 extern const CFStringRef kSecPolicyKU_DigitalSignature
315 __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA);
316 extern const CFStringRef kSecPolicyKU_NonRepudiation
317 __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA);
318 extern const CFStringRef kSecPolicyKU_KeyEncipherment
319 __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA);
320 extern const CFStringRef kSecPolicyKU_DataEncipherment
321 __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA);
322 extern const CFStringRef kSecPolicyKU_KeyAgreement
323 __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA);
324 extern const CFStringRef kSecPolicyKU_KeyCertSign
325 __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA);
326 extern const CFStringRef kSecPolicyKU_CRLSign
327 __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA);
328 extern const CFStringRef kSecPolicyKU_EncipherOnly
329 __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA);
330 extern const CFStringRef kSecPolicyKU_DecipherOnly
331 __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA);
332
333 /*!
334 @function SecPolicyCreateWithOID
335 @abstract Returns a policy object based on an object identifier for the
336 policy type. See the "Policy Constants" section for a list of defined
337 policy object identifiers.
338 @param policyOID The OID of the desired policy.
339 @result The returned policy reference, or NULL if the policy could not be
340 created.
341 @discussion This function is deprecated in Mac OS X 10.9 and later;
342 use SecPolicyCreateWithProperties (or a more specific policy creation
343 function) instead.
344 */
345 __nullable
346 SecPolicyRef SecPolicyCreateWithOID(CFTypeRef policyOID)
347 __OSX_AVAILABLE_BUT_DEPRECATED(__MAC_10_7, __MAC_10_9, __IPHONE_NA, __IPHONE_NA);
348
349 /*!
350 @function SecPolicyGetOID
351 @abstract Returns a policy's object identifier.
352 @param policyRef A policy reference.
353 @param oid On return, a pointer to the policy's object identifier.
354 @result A result code. See "Security Error Codes" (SecBase.h).
355 @discussion This function is deprecated in Mac OS X 10.7 and later;
356 use SecPolicyCopyProperties instead.
357 */
358 OSStatus SecPolicyGetOID(SecPolicyRef policyRef, CSSM_OID *oid)
359 __OSX_AVAILABLE_BUT_DEPRECATED(__MAC_10_2, __MAC_10_7, __IPHONE_NA, __IPHONE_NA);
360
361 /*!
362 @function SecPolicyGetValue
363 @abstract Returns a policy's value.
364 @param policyRef A policy reference.
365 @param value On return, a pointer to the policy's value.
366 @result A result code. See "Security Error Codes" (SecBase.h).
367 @discussion This function is deprecated in Mac OS X 10.7 and later;
368 use SecPolicyCopyProperties instead.
369 */
370 OSStatus SecPolicyGetValue(SecPolicyRef policyRef, CSSM_DATA *value)
371 __OSX_AVAILABLE_BUT_DEPRECATED(__MAC_10_2, __MAC_10_7, __IPHONE_NA, __IPHONE_NA);
372
373 /*!
374 @function SecPolicySetValue
375 @abstract Sets a policy's value.
376 @param policyRef A policy reference.
377 @param value The value to be set into the policy object, replacing any
378 previous value.
379 @result A result code. See "Security Error Codes" (SecBase.h).
380 @discussion This function is deprecated in Mac OS X 10.7 and later. Policy
381 instances should be considered read-only; in cases where your code would
382 consider changing properties of a policy, it should instead create a new
383 policy instance with the desired properties.
384 */
385 OSStatus SecPolicySetValue(SecPolicyRef policyRef, const CSSM_DATA *value)
386 __OSX_AVAILABLE_BUT_DEPRECATED(__MAC_10_2, __MAC_10_7, __IPHONE_NA, __IPHONE_NA);
387
388 /*!
389 @function SecPolicySetProperties
390 @abstract Sets a policy's properties.
391 @param policyRef A policy reference.
392 @param properties A properties dictionary. See "Policy Value Constants"
393 for a list of currently defined property keys. This dictionary replaces the
394 policy's existing properties, if any. Note that the policy OID (specified
395 by kSecPolicyOid) is a read-only property of the policy and cannot be set.
396 @result A result code. See "Security Error Codes" (SecBase.h).
397 @discussion This function is deprecated in Mac OS X 10.9 and later. Policy
398 instances should be considered read-only; in cases where your code would
399 consider changing properties of a policy, it should instead create a new
400 policy instance with the desired properties.
401 */
402 OSStatus SecPolicySetProperties(SecPolicyRef policyRef,
403 CFDictionaryRef properties)
404 __OSX_AVAILABLE_BUT_DEPRECATED(__MAC_10_7, __MAC_10_9, __IPHONE_NA, __IPHONE_NA);
405
406 /*!
407 @function SecPolicyGetTPHandle
408 @abstract Returns the CSSM trust policy handle for the given policy.
409 @param policyRef A policy reference.
410 @param tpHandle On return, a pointer to a value of type CSSM_TP_HANDLE.
411 @result A result code. See "Security Error Codes" (SecBase.h).
412 @discussion This function is deprecated in Mac OS X 10.7 and later.
413 */
414 OSStatus SecPolicyGetTPHandle(SecPolicyRef policyRef, CSSM_TP_HANDLE *tpHandle)
415 __OSX_AVAILABLE_BUT_DEPRECATED(__MAC_10_2, __MAC_10_7, __IPHONE_NA, __IPHONE_NA);
416
417 CF_IMPLICIT_BRIDGING_DISABLED
418 CF_ASSUME_NONNULL_END
419
420 #endif /* TARGET_OS_MAC && !TARGET_OS_IPHONE */
421
422 __END_DECLS
423
424 #endif /* !_SECURITY_SECPOLICY_H_ */