]> git.saurik.com Git - apple/security.git/blob - OSX/libsecurity_cssm/lib/cssmapple.h
projects / apple / security.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Security-57740.20.22.tar.gz
[apple/security.git] / OSX / libsecurity_cssm / lib / cssmapple.h
1 /*
2 * Copyright (c) 2000-2015 Apple Inc. All Rights Reserved.
3 *
4 * @APPLE_LICENSE_HEADER_START@
5 *
6 * This file contains Original Code and/or Modifications of Original Code
7 * as defined in and that are subject to the Apple Public Source License
8 * Version 2.0 (the 'License'). You may not use this file except in
9 * compliance with the License. Please obtain a copy of the License at
10 * http://www.opensource.apple.com/apsl/ and read it before using this
11 * file.
12 *
13 * The Original Code and all software distributed under the License are
14 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
15 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
16 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
17 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
18 * Please see the License for the specific language governing rights and
19 * limitations under the License.
20 *
21 * @APPLE_LICENSE_HEADER_END@
22 *
23 * cssmapple.h -- CSSM features specific to Apple's Implementation
24 */
25
26 #ifndef _CSSMAPPLE_H_
27 #define _CSSMAPPLE_H_ 1
28
29 #include <Security/cssmerr.h>
30 #include <Security/cssmtype.h>
31 #include <Security/x509defs.h> /* for CSSM_APPLE_TP_CERT_REQUEST fields */
32 #include <Security/certextensions.h> /* ditto */
33 #include <sys/types.h> /* for the BSD *_t types */
34 #include <stdbool.h>
35
36 #ifdef __cplusplus
37 extern "C" {
38 #endif
39
40 #pragma clang diagnostic push
41 #pragma clang diagnostic ignored "-Wdeprecated-declarations"
42
43 /* Guids for standard Apple addin modules. */
44
45 /* CSSM itself: {87191ca0-0fc9-11d4-849a-000502b52122} */
46 extern const CSSM_GUID gGuidCssm;
47
48 /* File based DL (aka "Keychain DL"): {87191ca1-0fc9-11d4-849a-000502b52122} */
49 extern const CSSM_GUID gGuidAppleFileDL;
50
51 /* Core CSP (local space): {87191ca2-0fc9-11d4-849a-000502b52122} */
52 extern const CSSM_GUID gGuidAppleCSP;
53
54 /* Secure CSP/DL (aka "Keychain CSPDL): {87191ca3-0fc9-11d4-849a-000502b52122} */
55 extern const CSSM_GUID gGuidAppleCSPDL;
56
57 /* X509 Certificate CL: {87191ca4-0fc9-11d4-849a-000502b52122} */
58 extern const CSSM_GUID gGuidAppleX509CL;
59
60 /* X509 Certificate TP: {87191ca5-0fc9-11d4-849a-000502b52122} */
61 extern const CSSM_GUID gGuidAppleX509TP;
62
63 /* DLAP/OpenDirectory access DL: {87191ca6-0fc9-11d4-849a-000502b52122} */
64 extern const CSSM_GUID gGuidAppleLDAPDL;
65
66 /* TP for ".mac" related policies: {87191ca7-0fc9-11d4-849a-000502b52122} */
67 extern const CSSM_GUID gGuidAppleDotMacTP;
68
69 /* Smartcard CSP/DL: {87191ca8-0fc9-11d4-849a-000502b52122} */
70 extern const CSSM_GUID gGuidAppleSdCSPDL;
71
72 /* DL for ".mac" certificate access: {87191ca9-0fc9-11d4-849a-000502b52122} */
73 extern const CSSM_GUID gGuidAppleDotMacDL;
74
75
76 /* Apple defined WORDID values */
77 enum
78 {
79 CSSM_WORDID_KEYCHAIN_PROMPT = CSSM_WORDID_VENDOR_START,
80 CSSM_WORDID_KEYCHAIN_LOCK,
81 CSSM_WORDID_KEYCHAIN_CHANGE_LOCK,
82 CSSM_WORDID_PROCESS,
83 CSSM_WORDID__RESERVED_1, /* was used in 10.2 test seeds; no longer in use */
84 CSSM_WORDID_SYMMETRIC_KEY,
85 CSSM_WORDID_SYSTEM,
86 CSSM_WORDID_KEY,
87 CSSM_WORDID_PIN,
88 CSSM_WORDID_PREAUTH,
89 CSSM_WORDID_PREAUTH_SOURCE,
90 CSSM_WORDID_ASYMMETRIC_KEY,
91 CSSM_WORDID_PARTITION,
92 CSSM_WORDID__FIRST_UNUSED
93 };
94
95 /* Apple defined ACL subject and credential types */
96 enum
97 {
98 CSSM_ACL_SUBJECT_TYPE_KEYCHAIN_PROMPT = CSSM_WORDID_KEYCHAIN_PROMPT,
99 CSSM_ACL_SUBJECT_TYPE_PROCESS = CSSM_WORDID_PROCESS,
100 CSSM_ACL_SUBJECT_TYPE_CODE_SIGNATURE = CSSM_WORDID_SIGNATURE,
101 CSSM_ACL_SUBJECT_TYPE_COMMENT = CSSM_WORDID_COMMENT,
102 CSSM_ACL_SUBJECT_TYPE_SYMMETRIC_KEY = CSSM_WORDID_SYMMETRIC_KEY,
103 CSSM_ACL_SUBJECT_TYPE_PREAUTH = CSSM_WORDID_PREAUTH,
104 CSSM_ACL_SUBJECT_TYPE_PREAUTH_SOURCE = CSSM_WORDID_PREAUTH_SOURCE,
105 CSSM_ACL_SUBJECT_TYPE_ASYMMETRIC_KEY = CSSM_WORDID_ASYMMETRIC_KEY,
106 CSSM_ACL_SUBJECT_TYPE_PARTITION = CSSM_WORDID_PARTITION,
107 };
108
109 enum
110 {
111 CSSM_SAMPLE_TYPE_KEYCHAIN_PROMPT = CSSM_WORDID_KEYCHAIN_PROMPT,
112 CSSM_SAMPLE_TYPE_KEYCHAIN_LOCK = CSSM_WORDID_KEYCHAIN_LOCK,
113 CSSM_SAMPLE_TYPE_KEYCHAIN_CHANGE_LOCK = CSSM_WORDID_KEYCHAIN_CHANGE_LOCK,
114 CSSM_SAMPLE_TYPE_PROCESS = CSSM_WORDID_PROCESS,
115 CSSM_SAMPLE_TYPE_COMMENT = CSSM_WORDID_COMMENT,
116 CSSM_SAMPLE_TYPE_RETRY_ID = CSSM_WORDID_PROPAGATE,
117 CSSM_SAMPLE_TYPE_SYMMETRIC_KEY = CSSM_WORDID_SYMMETRIC_KEY,
118 CSSM_SAMPLE_TYPE_PREAUTH = CSSM_WORDID_PREAUTH,
119 CSSM_SAMPLE_TYPE_ASYMMETRIC_KEY = CSSM_WORDID_ASYMMETRIC_KEY
120 // there is no CSSM_SAMPLE_TYPE_PREAUTH_SOURCE
121 };
122
123
124 /* Apple-defined ACL authorization tags */
125 enum {
126 CSSM_ACL_AUTHORIZATION_CHANGE_ACL = CSSM_ACL_AUTHORIZATION_TAG_VENDOR_DEFINED_START,
127 CSSM_ACL_AUTHORIZATION_CHANGE_OWNER,
128 CSSM_ACL_AUTHORIZATION_PARTITION_ID,
129 CSSM_ACL_AUTHORIZATION_INTEGRITY,
130
131 // the "pre-auth" tags form a contiguous range of (up to) 64K pre-authorizations
132 CSSM_ACL_AUTHORIZATION_PREAUTH_BASE =
133 CSSM_ACL_AUTHORIZATION_TAG_VENDOR_DEFINED_START + 0x1000000,
134 CSSM_ACL_AUTHORIZATION_PREAUTH_END = CSSM_ACL_AUTHORIZATION_PREAUTH_BASE + 0x10000
135 };
136
137 /* pre-authorization conversions (auth-tag to slot and back) */
138 #define CSSM_ACL_AUTHORIZATION_PREAUTH(slot) \
139 (CSSM_ACL_AUTHORIZATION_PREAUTH_BASE + (slot))
140 #define CSSM_ACL_AUTHORIZATION_PREAUTH_SLOT(auth) \
141 ((auth) - CSSM_ACL_AUTHORIZATION_PREAUTH_BASE)
142 #define CSSM_ACL_AUTHORIZATION_IS_PREAUTH(auth) \
143 ((auth) >= CSSM_ACL_AUTHORIZATION_PREAUTH_BASE && \
144 (auth) < CSSM_ACL_AUTHORIZATION_PREAUTH_END)
145
146
147 /* Parameters and structures for Apple-defined ACL subjects and samples */
148
149 enum { /* types of code signatures - item 1 of CSSM_ACL_SUBJECT_TYPE_CODE_SIGNATURE subjects */
150 CSSM_ACL_CODE_SIGNATURE_INVALID = 0, /* standard OS X code signature */
151 CSSM_ACL_CODE_SIGNATURE_OSX = 1 /* standard OS X code signature */
152 };
153
154 /* ACL subjects of type PROCESS */
155
156 enum { /* PROCESS_SUBJECT mask fields */
157 CSSM_ACL_MATCH_UID = 0x01, /* match userid against uid field */
158 CSSM_ACL_MATCH_GID = 0x02, /* match groupid against gid field */
159 CSSM_ACL_MATCH_HONOR_ROOT = 0x100, /* let root (uid 0) match any userid */
160 CSSM_ACL_MATCH_BITS = CSSM_ACL_MATCH_UID | CSSM_ACL_MATCH_GID
161 };
162
163 enum { /* PROCESS_SUBJECT structure version field */
164 CSSM_ACL_PROCESS_SELECTOR_CURRENT_VERSION = 0x101
165 };
166
167 typedef struct cssm_acl_process_subject_selector { /* PROCESS_SUBJECT selector */
168 uint16 version; /* version of this selector */
169 uint16 mask; /* active fields mask */
170 uint32 uid; /* effective user id match */
171 uint32 gid; /* effective group id match */
172 } CSSM_ACL_PROCESS_SUBJECT_SELECTOR;
173
174 /* ACL subjects of type KEYCHAIN_PROMPT */
175
176 enum { /* KEYCHAIN_PROMPT structure version field */
177 CSSM_ACL_KEYCHAIN_PROMPT_CURRENT_VERSION = 0x101
178 };
179
180 enum { /* KEYCHAIN_PROMPT operational flags */
181 CSSM_ACL_KEYCHAIN_PROMPT_REQUIRE_PASSPHRASE = 0x0001, /* require re-entering of passphrase */
182 /* the following bits are ignored by 10.4 and earlier */
183 CSSM_ACL_KEYCHAIN_PROMPT_UNSIGNED = 0x0010, /* prompt for unsigned clients */
184 CSSM_ACL_KEYCHAIN_PROMPT_UNSIGNED_ACT = 0x0020, /* UNSIGNED bit overrides system default */
185 CSSM_ACL_KEYCHAIN_PROMPT_INVALID = 0x0040, /* prompt for invalid signed clients */
186 CSSM_ACL_KEYCHAIN_PROMPT_INVALID_ACT = 0x0080, /* INVALID bit overrides system default */
187 };
188
189 typedef struct cssm_acl_keychain_prompt_selector { /* KEYCHAIN_PROMPT selector */
190 uint16 version; /* version of this selector */
191 uint16 flags; /* flag bits */
192 } CSSM_ACL_KEYCHAIN_PROMPT_SELECTOR;
193
194 /* ACL subjects of type CSSM_ACL_SUBJECT_TYPE_PREAUTH_SOURCE */
195 typedef uint32 CSSM_ACL_PREAUTH_TRACKING_STATE;
196 enum { /* preauth tracking state */
197 CSSM_ACL_PREAUTH_TRACKING_COUNT_MASK = 0xff, /* mask for count status */
198 CSSM_ACL_PREAUTH_TRACKING_BLOCKED = 0, /* retries exhausted; the slot is blocked */
199 /* 0 .. 255 is a count of (re)tries remaining */
200
201 /* bits or'ed into any count given */
202 CSSM_ACL_PREAUTH_TRACKING_UNKNOWN = 0x40000000, /* status of slot is unknown (ignore count) */
203 CSSM_ACL_PREAUTH_TRACKING_AUTHORIZED = 0x80000000 /* the slot is currently authorized (or'ed in) */
204 };
205
206
207 /* Apple defined values of a CSSM_DB_ACCESS_TYPE */
208 enum {
209 CSSM_DB_ACCESS_RESET = 0x10000 /* clear pre-authentications (or'ed bit) */
210 };
211
212
213 /* Apple defined algorithm IDs */
214 enum
215 {
216 CSSM_ALGID_APPLE_YARROW = CSSM_ALGID_VENDOR_DEFINED,
217 CSSM_ALGID_AES, /* RijnDael */
218 CSSM_ALGID_FEE, /* FEE Key Generation */
219 CSSM_ALGID_FEE_MD5, /* FEE/ElGamal signature w/ MD5 hash */
220 CSSM_ALGID_FEE_SHA1, /* FEE/ElGamal signature w/ SHA1 hash */
221 CSSM_ALGID_FEED, /* 1:1 FEE asymmetric encryption */
222 CSSM_ALGID_FEEDEXP, /* 2:1 FEE asymmetric encryption */
223 CSSM_ALGID_ASC, /* Apple Secure Compression */
224 CSSM_ALGID_SHA1HMAC_LEGACY, /* HMAC/SHA1, legacy compatible */
225 CSSM_ALGID_KEYCHAIN_KEY, /* derive or manipulate keychain master keys */
226 CSSM_ALGID_PKCS12_PBE_ENCR, /* PKCS12, encrypt/decrypt key */
227 CSSM_ALGID_PKCS12_PBE_MAC, /* PKCS12, MAC key */
228 CSSM_ALGID_SECURE_PASSPHRASE, /* passphrase acquired by SecurityServer */
229 CSSM_ALGID_PBE_OPENSSL_MD5, /* traditional openssl key derivation */
230 CSSM_ALGID_SHA256, /* 256-bit SHA2 */
231 CSSM_ALGID_SHA384, /* 384-bit SHA2 */
232 CSSM_ALGID_SHA512, /* 512-bit SHA2 */
233 CSSM_ALGID_ENTROPY_DEFAULT, /* default entropy source of (CSP) device, if any */
234 CSSM_ALGID_SHA224, /* SHA2, 224 bit */
235 CSSM_ALGID_SHA224WithRSA, /* RSA signature on SHA224 digest */
236 CSSM_ALGID_SHA256WithRSA, /* RSA signature on SHA256 digest */
237 CSSM_ALGID_SHA384WithRSA, /* RSA signature on SHA384 digest */
238 CSSM_ALGID_SHA512WithRSA, /* RSA signature on SHA512 digest */
239 CSSM_ALGID_OPENSSH1, /* OpenSSH v1 RSA key wrapping */
240 CSSM_ALGID_SHA224WithECDSA, /* ECDSA signature on SHA224 digest */
241 CSSM_ALGID_SHA256WithECDSA, /* ECDSA signature on SHA256 digest */
242 CSSM_ALGID_SHA384WithECDSA, /* ECDSA signature on SHA384 digest */
243 CSSM_ALGID_SHA512WithECDSA, /* ECDSA signature on SHA512 digest */
244 CSSM_ALGID_ECDSA_SPECIFIED, /* ECDSA with separate digest algorithm specifier */
245 CSSM_ALGID_ECDH_X963_KDF, /* ECDH with X9.63 key derivation */
246 CSSM_ALGID__FIRST_UNUSED
247 };
248
249 /* Apple defined padding */
250 enum
251 {
252 /* RFC 2246 section E.2 for SSLv2 rollback detection */
253 CSSM_PADDING_APPLE_SSLv2 = CSSM_PADDING_VENDOR_DEFINED
254 };
255
256
257 /* Apple defined keyblob formats */
258 enum {
259 CSSM_KEYBLOB_RAW_FORMAT_VENDOR_DEFINED = 0x80000000
260 };
261 enum {
262 /* X509 SubjectPublicKeyInfo */
263 CSSM_KEYBLOB_RAW_FORMAT_X509 = CSSM_KEYBLOB_RAW_FORMAT_VENDOR_DEFINED,
264 /* OpenSSH v1 */
265 CSSM_KEYBLOB_RAW_FORMAT_OPENSSH,
266 /* openssl-style DSA private key */
267 CSSM_KEYBLOB_RAW_FORMAT_OPENSSL,
268 /* OpenSSH v2 */
269 CSSM_KEYBLOB_RAW_FORMAT_OPENSSH2
270 };
271
272 /* Apple adds some "common" error codes. CDSA does not define an official start value for this. */
273 enum
274 {
275 CSSM_CUSTOM_COMMON_ERROR_EXTENT = 0x00e0,
276
277 CSSM_ERRCODE_NO_USER_INTERACTION = 0x00e0,
278 CSSM_ERRCODE_USER_CANCELED = 0x00e1,
279 CSSM_ERRCODE_SERVICE_NOT_AVAILABLE = 0x00e2,
280 CSSM_ERRCODE_INSUFFICIENT_CLIENT_IDENTIFICATION = 0x00e3,
281 CSSM_ERRCODE_DEVICE_RESET = 0x00e4,
282 CSSM_ERRCODE_DEVICE_FAILED = 0x00e5,
283 CSSM_ERRCODE_IN_DARK_WAKE = 0x00e6
284 };
285
286 enum {
287 CSSMERR_CSSM_NO_USER_INTERACTION = CSSM_CSSM_BASE_ERROR + CSSM_ERRCODE_NO_USER_INTERACTION,
288 CSSMERR_AC_NO_USER_INTERACTION = CSSM_AC_BASE_ERROR + CSSM_ERRCODE_NO_USER_INTERACTION,
289 CSSMERR_CSP_NO_USER_INTERACTION = CSSM_CSP_BASE_ERROR + CSSM_ERRCODE_NO_USER_INTERACTION,
290 CSSMERR_CL_NO_USER_INTERACTION = CSSM_CL_BASE_ERROR + CSSM_ERRCODE_NO_USER_INTERACTION,
291 CSSMERR_DL_NO_USER_INTERACTION = CSSM_DL_BASE_ERROR + CSSM_ERRCODE_NO_USER_INTERACTION,
292 CSSMERR_TP_NO_USER_INTERACTION = CSSM_TP_BASE_ERROR + CSSM_ERRCODE_NO_USER_INTERACTION,
293
294 CSSMERR_CSSM_USER_CANCELED = CSSM_CSSM_BASE_ERROR + CSSM_ERRCODE_USER_CANCELED,
295 CSSMERR_AC_USER_CANCELED = CSSM_AC_BASE_ERROR + CSSM_ERRCODE_USER_CANCELED,
296 CSSMERR_CSP_USER_CANCELED = CSSM_CSP_BASE_ERROR + CSSM_ERRCODE_USER_CANCELED,
297 CSSMERR_CL_USER_CANCELED = CSSM_CL_BASE_ERROR + CSSM_ERRCODE_USER_CANCELED,
298 CSSMERR_DL_USER_CANCELED = CSSM_DL_BASE_ERROR + CSSM_ERRCODE_USER_CANCELED,
299 CSSMERR_TP_USER_CANCELED = CSSM_TP_BASE_ERROR + CSSM_ERRCODE_USER_CANCELED,
300
301 CSSMERR_CSSM_SERVICE_NOT_AVAILABLE = CSSM_CSSM_BASE_ERROR + CSSM_ERRCODE_SERVICE_NOT_AVAILABLE,
302 CSSMERR_AC_SERVICE_NOT_AVAILABLE = CSSM_AC_BASE_ERROR + CSSM_ERRCODE_SERVICE_NOT_AVAILABLE,
303 CSSMERR_CSP_SERVICE_NOT_AVAILABLE = CSSM_CSP_BASE_ERROR + CSSM_ERRCODE_SERVICE_NOT_AVAILABLE,
304 CSSMERR_CL_SERVICE_NOT_AVAILABLE = CSSM_CL_BASE_ERROR + CSSM_ERRCODE_SERVICE_NOT_AVAILABLE,
305 CSSMERR_DL_SERVICE_NOT_AVAILABLE = CSSM_DL_BASE_ERROR + CSSM_ERRCODE_SERVICE_NOT_AVAILABLE,
306 CSSMERR_TP_SERVICE_NOT_AVAILABLE = CSSM_TP_BASE_ERROR + CSSM_ERRCODE_SERVICE_NOT_AVAILABLE,
307
308 CSSMERR_CSSM_INSUFFICIENT_CLIENT_IDENTIFICATION = CSSM_CSSM_BASE_ERROR + CSSM_ERRCODE_INSUFFICIENT_CLIENT_IDENTIFICATION,
309 CSSMERR_AC_INSUFFICIENT_CLIENT_IDENTIFICATION = CSSM_AC_BASE_ERROR + CSSM_ERRCODE_INSUFFICIENT_CLIENT_IDENTIFICATION,
310 CSSMERR_CSP_INSUFFICIENT_CLIENT_IDENTIFICATION = CSSM_CSP_BASE_ERROR + CSSM_ERRCODE_INSUFFICIENT_CLIENT_IDENTIFICATION,
311 CSSMERR_CL_INSUFFICIENT_CLIENT_IDENTIFICATION = CSSM_CL_BASE_ERROR + CSSM_ERRCODE_INSUFFICIENT_CLIENT_IDENTIFICATION,
312 CSSMERR_DL_INSUFFICIENT_CLIENT_IDENTIFICATION = CSSM_DL_BASE_ERROR + CSSM_ERRCODE_INSUFFICIENT_CLIENT_IDENTIFICATION,
313 CSSMERR_TP_INSUFFICIENT_CLIENT_IDENTIFICATION = CSSM_TP_BASE_ERROR + CSSM_ERRCODE_INSUFFICIENT_CLIENT_IDENTIFICATION,
314
315 CSSMERR_CSSM_DEVICE_RESET = CSSM_CSSM_BASE_ERROR + CSSM_ERRCODE_DEVICE_RESET,
316 CSSMERR_AC_DEVICE_RESET = CSSM_AC_BASE_ERROR + CSSM_ERRCODE_DEVICE_RESET,
317 CSSMERR_CSP_DEVICE_RESET = CSSM_CSP_BASE_ERROR + CSSM_ERRCODE_DEVICE_RESET,
318 CSSMERR_CL_DEVICE_RESET = CSSM_CL_BASE_ERROR + CSSM_ERRCODE_DEVICE_RESET,
319 CSSMERR_DL_DEVICE_RESET = CSSM_DL_BASE_ERROR + CSSM_ERRCODE_DEVICE_RESET,
320 CSSMERR_TP_DEVICE_RESET = CSSM_TP_BASE_ERROR + CSSM_ERRCODE_DEVICE_RESET,
321
322 CSSMERR_CSSM_DEVICE_FAILED = CSSM_CSSM_BASE_ERROR + CSSM_ERRCODE_DEVICE_FAILED,
323 CSSMERR_AC_DEVICE_FAILED = CSSM_AC_BASE_ERROR + CSSM_ERRCODE_DEVICE_FAILED,
324 CSSMERR_CSP_DEVICE_FAILED = CSSM_CSP_BASE_ERROR + CSSM_ERRCODE_DEVICE_FAILED,
325 CSSMERR_CL_DEVICE_FAILED = CSSM_CL_BASE_ERROR + CSSM_ERRCODE_DEVICE_FAILED,
326 CSSMERR_DL_DEVICE_FAILED = CSSM_DL_BASE_ERROR + CSSM_ERRCODE_DEVICE_FAILED,
327 CSSMERR_TP_DEVICE_FAILED = CSSM_TP_BASE_ERROR + CSSM_ERRCODE_DEVICE_FAILED,
328
329 CSSMERR_CSSM_IN_DARK_WAKE = CSSM_CSSM_BASE_ERROR + CSSM_ERRCODE_IN_DARK_WAKE,
330 CSSMERR_AC_IN_DARK_WAKE = CSSM_AC_BASE_ERROR + CSSM_ERRCODE_IN_DARK_WAKE,
331 CSSMERR_CSP_IN_DARK_WAKE = CSSM_CSP_BASE_ERROR + CSSM_ERRCODE_IN_DARK_WAKE,
332 CSSMERR_CL_IN_DARK_WAKE = CSSM_CL_BASE_ERROR + CSSM_ERRCODE_IN_DARK_WAKE,
333 CSSMERR_DL_IN_DARK_WAKE = CSSM_DL_BASE_ERROR + CSSM_ERRCODE_IN_DARK_WAKE,
334 CSSMERR_TP_IN_DARK_WAKE = CSSM_TP_BASE_ERROR + CSSM_ERRCODE_IN_DARK_WAKE
335 };
336
337 /* AppleCSPDL, AppleCSP private error codes. */
338 enum {
339 CSSMERR_CSP_APPLE_ADD_APPLICATION_ACL_SUBJECT = CSSM_CSP_PRIVATE_ERROR + 0,
340 /*
341 * An attempt was made to use a public key which is incomplete due to
342 * the lack of algorithm-specific parameters.
343 */
344 CSSMERR_CSP_APPLE_PUBLIC_KEY_INCOMPLETE = CSSM_CSP_PRIVATE_ERROR + 1,
345
346 /* a code signature match failed */
347 CSSMERR_CSP_APPLE_SIGNATURE_MISMATCH = CSSM_CSP_PRIVATE_ERROR + 2,
348
349 /* Key StartDate/EndDate invalid */
350 CSSMERR_CSP_APPLE_INVALID_KEY_START_DATE = CSSM_CSP_PRIVATE_ERROR + 3,
351 CSSMERR_CSP_APPLE_INVALID_KEY_END_DATE = CSSM_CSP_PRIVATE_ERROR + 4,
352
353 /* Keychain Syncing error codes */
354 CSSMERR_CSPDL_APPLE_DL_CONVERSION_ERROR = CSSM_CSP_PRIVATE_ERROR + 5,
355
356 /* SSLv2 padding check: rollback attack detected */
357 CSSMERR_CSP_APPLE_SSLv2_ROLLBACK = CSSM_CSP_PRIVATE_ERROR + 6
358 };
359
360
361 /* AppleFileDL record types. */
362 enum
363 {
364 CSSM_DL_DB_RECORD_GENERIC_PASSWORD = CSSM_DB_RECORDTYPE_APP_DEFINED_START + 0,
365 CSSM_DL_DB_RECORD_INTERNET_PASSWORD = CSSM_DB_RECORDTYPE_APP_DEFINED_START + 1,
366 CSSM_DL_DB_RECORD_APPLESHARE_PASSWORD = CSSM_DB_RECORDTYPE_APP_DEFINED_START + 2,
367
368 CSSM_DL_DB_RECORD_X509_CERTIFICATE = CSSM_DB_RECORDTYPE_APP_DEFINED_START + 0x1000,
369 CSSM_DL_DB_RECORD_USER_TRUST,
370 CSSM_DL_DB_RECORD_X509_CRL,
371 CSSM_DL_DB_RECORD_UNLOCK_REFERRAL,
372 CSSM_DL_DB_RECORD_EXTENDED_ATTRIBUTE,
373 CSSM_DL_DB_RECORD_METADATA = CSSM_DB_RECORDTYPE_APP_DEFINED_START + 0x8000
374 };
375
376 /* AppleFileDL extentions: passthrough ids */
377 enum {
378 // Toggle whether or not to autocommit after modifying the database.
379 // The input parameter is a CSSM_BOOL, where TRUE turns autocommit on
380 // and FALSE turns it off.
381 CSSM_APPLEFILEDL_TOGGLE_AUTOCOMMIT,
382
383 // Commit any pending changes to the database.
384 CSSM_APPLEFILEDL_COMMIT,
385
386 // Rollback and discard any pending changes to the database.
387 CSSM_APPLEFILEDL_ROLLBACK,
388
389 // Try to take the file lock on the underlying database
390 // Calling commit or rollback will release the lock
391 CSSM_APPLEFILEDL_TAKE_FILE_LOCK,
392
393 // Make a backup of this database in a new file
394 CSSM_APPLEFILEDL_MAKE_BACKUP,
395
396 // Make a copy of this database
397 CSSM_APPLEFILEDL_MAKE_COPY,
398
399 // Delete this database
400 CSSM_APPLEFILEDL_DELETE_FILE,
401 };
402
403 /* UNLOCK_REFERRAL "type" attribute values */
404 enum {
405 CSSM_APPLE_UNLOCK_TYPE_KEY_DIRECT = 1, // master secret key stored directly
406 CSSM_APPLE_UNLOCK_TYPE_WRAPPED_PRIVATE = 2 // master key wrapped by public key
407 };
408
409 /* Apple DL private error codes. */
410 enum
411 {
412 /* The OpenParameters argument passed to CSSM_DL_DbCreate or CSSM_DL_DbOpen
413 was neither NULL nor a pointer to a valid CSSM_APPLEDL_OPEN_PARAMETERS
414 structure. */
415 CSSMERR_APPLEDL_INVALID_OPEN_PARAMETERS = CSSM_DL_PRIVATE_ERROR + 0,
416
417 /* an operation failed because the disk was full */
418 CSSMERR_APPLEDL_DISK_FULL = CSSM_DL_PRIVATE_ERROR + 1,
419
420 /* an operation failed because a disk quota was exceeded */
421 CSSMERR_APPLEDL_QUOTA_EXCEEDED = CSSM_DL_PRIVATE_ERROR + 2,
422
423 /* an operation failed because a file was too large */
424 CSSMERR_APPLEDL_FILE_TOO_BIG = CSSM_DL_PRIVATE_ERROR + 3,
425
426 /* a keychain database's internal information ("blob") is invalid */
427 CSSMERR_APPLEDL_INVALID_DATABASE_BLOB = CSSM_DL_PRIVATE_ERROR + 4,
428 CSSMERR_APPLEDL_INVALID_KEY_BLOB = CSSM_DL_PRIVATE_ERROR + 5,
429
430 /* the internal data format version for a database's internal information ("blob") is invalid */
431 CSSMERR_APPLEDL_INCOMPATIBLE_DATABASE_BLOB = CSSM_DL_PRIVATE_ERROR + 6,
432 CSSMERR_APPLEDL_INCOMPATIBLE_KEY_BLOB = CSSM_DL_PRIVATE_ERROR + 7,
433 };
434
435 /* Apple X509TP private error codes. */
436 enum
437 {
438 /* Host name mismatch */
439 CSSMERR_APPLETP_HOSTNAME_MISMATCH = CSSM_TP_PRIVATE_ERROR + 0,
440 /* Non-understood extension with Critical flag true */
441 CSSMERR_APPLETP_UNKNOWN_CRITICAL_EXTEN = CSSM_TP_PRIVATE_ERROR + 1,
442 /* Basic Constraints extension required per policy, but not present */
443 CSSMERR_APPLETP_NO_BASIC_CONSTRAINTS = CSSM_TP_PRIVATE_ERROR + 2,
444 /* Invalid BasicConstraints.CA */
445 CSSMERR_APPLETP_INVALID_CA = CSSM_TP_PRIVATE_ERROR + 3,
446 /* Invalid Authority Key ID */
447 CSSMERR_APPLETP_INVALID_AUTHORITY_ID = CSSM_TP_PRIVATE_ERROR + 4,
448 /* Invalid Subject Key ID */
449 CSSMERR_APPLETP_INVALID_SUBJECT_ID = CSSM_TP_PRIVATE_ERROR + 5,
450 /* Invalid Key Usage for policy */
451 CSSMERR_APPLETP_INVALID_KEY_USAGE = CSSM_TP_PRIVATE_ERROR + 6,
452 /* Invalid Extended Key Usage for policy */
453 CSSMERR_APPLETP_INVALID_EXTENDED_KEY_USAGE = CSSM_TP_PRIVATE_ERROR + 7,
454 /* Invalid Subject/Authority Key ID Linkage */
455 CSSMERR_APPLETP_INVALID_ID_LINKAGE = CSSM_TP_PRIVATE_ERROR + 8,
456 /* PathLengthConstraint exceeded */
457 CSSMERR_APPLETP_PATH_LEN_CONSTRAINT = CSSM_TP_PRIVATE_ERROR + 9,
458 /* Cert group terminated at a root cert which did not self-verify */
459 CSSMERR_APPLETP_INVALID_ROOT = CSSM_TP_PRIVATE_ERROR + 10,
460 /* CRL expired/not valid yet */
461 CSSMERR_APPLETP_CRL_EXPIRED = CSSM_TP_PRIVATE_ERROR + 11,
462 CSSMERR_APPLETP_CRL_NOT_VALID_YET = CSSM_TP_PRIVATE_ERROR + 12,
463 /* Cannot find appropriate CRL */
464 CSSMERR_APPLETP_CRL_NOT_FOUND = CSSM_TP_PRIVATE_ERROR + 13,
465 /* specified CRL server down */
466 CSSMERR_APPLETP_CRL_SERVER_DOWN = CSSM_TP_PRIVATE_ERROR + 14,
467 /* illegible CRL distribution point URL */
468 CSSMERR_APPLETP_CRL_BAD_URI = CSSM_TP_PRIVATE_ERROR + 15,
469 /* Unknown critical cert/CRL extension */
470 CSSMERR_APPLETP_UNKNOWN_CERT_EXTEN = CSSM_TP_PRIVATE_ERROR + 16,
471 CSSMERR_APPLETP_UNKNOWN_CRL_EXTEN = CSSM_TP_PRIVATE_ERROR + 17,
472 /* CRL not verifiable to anchor or root */
473 CSSMERR_APPLETP_CRL_NOT_TRUSTED = CSSM_TP_PRIVATE_ERROR + 18,
474 /* CRL verified to untrusted root */
475 CSSMERR_APPLETP_CRL_INVALID_ANCHOR_CERT = CSSM_TP_PRIVATE_ERROR + 19,
476 /* CRL failed policy verification */
477 CSSMERR_APPLETP_CRL_POLICY_FAIL = CSSM_TP_PRIVATE_ERROR + 20,
478 /* IssuingDistributionPoint extension violation */
479 CSSMERR_APPLETP_IDP_FAIL = CSSM_TP_PRIVATE_ERROR + 21,
480 /* Cert not found at specified issuerAltName */
481 CSSMERR_APPLETP_CERT_NOT_FOUND_FROM_ISSUER = CSSM_TP_PRIVATE_ERROR + 22,
482 /* Bad cert obtained from specified issuerAltName */
483 CSSMERR_APPLETP_BAD_CERT_FROM_ISSUER = CSSM_TP_PRIVATE_ERROR + 23,
484 /* S/MIME Email address mismatch */
485 CSSMERR_APPLETP_SMIME_EMAIL_ADDRS_NOT_FOUND = CSSM_TP_PRIVATE_ERROR + 24,
486 /* Appropriate S/MIME ExtendedKeyUsage not found */
487 CSSMERR_APPLETP_SMIME_BAD_EXT_KEY_USE = CSSM_TP_PRIVATE_ERROR + 25,
488 /* S/MIME KeyUsage incompatibility */
489 CSSMERR_APPLETP_SMIME_BAD_KEY_USE = CSSM_TP_PRIVATE_ERROR + 26,
490 /* S/MIME, cert with KeyUsage flagged !critical */
491 CSSMERR_APPLETP_SMIME_KEYUSAGE_NOT_CRITICAL = CSSM_TP_PRIVATE_ERROR + 27,
492 /* S/MIME, leaf with empty subject name and no email addrs
493 * in SubjectAltName */
494 CSSMERR_APPLETP_SMIME_NO_EMAIL_ADDRS = CSSM_TP_PRIVATE_ERROR + 28,
495 /* S/MIME, leaf with empty subject name, SubjectAltName
496 * not critical */
497 CSSMERR_APPLETP_SMIME_SUBJ_ALT_NAME_NOT_CRIT = CSSM_TP_PRIVATE_ERROR + 29,
498 /* Appropriate SSL ExtendedKeyUsage not found */
499 CSSMERR_APPLETP_SSL_BAD_EXT_KEY_USE = CSSM_TP_PRIVATE_ERROR + 30,
500 /* unparseable OCSP response */
501 CSSMERR_APPLETP_OCSP_BAD_RESPONSE = CSSM_TP_PRIVATE_ERROR + 31,
502 /* unparseable OCSP request */
503 CSSMERR_APPLETP_OCSP_BAD_REQUEST = CSSM_TP_PRIVATE_ERROR + 32,
504 /* OCSP service unavailable */
505 CSSMERR_APPLETP_OCSP_UNAVAILABLE = CSSM_TP_PRIVATE_ERROR + 33,
506 /* OCSP status: cert unrecognized */
507 CSSMERR_APPLETP_OCSP_STATUS_UNRECOGNIZED = CSSM_TP_PRIVATE_ERROR + 34,
508 /* revocation check not successful for each cert */
509 CSSMERR_APPLETP_INCOMPLETE_REVOCATION_CHECK = CSSM_TP_PRIVATE_ERROR + 35,
510 /* general network error */
511 CSSMERR_APPLETP_NETWORK_FAILURE = CSSM_TP_PRIVATE_ERROR + 36,
512 /* OCSP response not verifiable to anchor or root */
513 CSSMERR_APPLETP_OCSP_NOT_TRUSTED = CSSM_TP_PRIVATE_ERROR + 37,
514 /* OCSP response verified to untrusted root */
515 CSSMERR_APPLETP_OCSP_INVALID_ANCHOR_CERT = CSSM_TP_PRIVATE_ERROR + 38,
516 /* OCSP response signature error */
517 CSSMERR_APPLETP_OCSP_SIG_ERROR = CSSM_TP_PRIVATE_ERROR + 39,
518 /* No signer for OCSP response found */
519 CSSMERR_APPLETP_OCSP_NO_SIGNER = CSSM_TP_PRIVATE_ERROR + 40,
520 /* OCSP responder status: malformed request */
521 CSSMERR_APPLETP_OCSP_RESP_MALFORMED_REQ = CSSM_TP_PRIVATE_ERROR + 41,
522 /* OCSP responder status: internal error */
523 CSSMERR_APPLETP_OCSP_RESP_INTERNAL_ERR = CSSM_TP_PRIVATE_ERROR + 42,
524 /* OCSP responder status: try later */
525 CSSMERR_APPLETP_OCSP_RESP_TRY_LATER = CSSM_TP_PRIVATE_ERROR + 43,
526 /* OCSP responder status: signature required */
527 CSSMERR_APPLETP_OCSP_RESP_SIG_REQUIRED = CSSM_TP_PRIVATE_ERROR + 44,
528 /* OCSP responder status: unauthorized */
529 CSSMERR_APPLETP_OCSP_RESP_UNAUTHORIZED = CSSM_TP_PRIVATE_ERROR + 45,
530 /* OCSP response nonce did not match request */
531 CSSMERR_APPLETP_OCSP_NONCE_MISMATCH = CSSM_TP_PRIVATE_ERROR + 46,
532 /* Illegal cert chain length for Code Signing */
533 CSSMERR_APPLETP_CS_BAD_CERT_CHAIN_LENGTH = CSSM_TP_PRIVATE_ERROR + 47,
534 /* Missing Basic Constraints for Code Signing */
535 CSSMERR_APPLETP_CS_NO_BASIC_CONSTRAINTS = CSSM_TP_PRIVATE_ERROR + 48,
536 /* Bad PathLengthConstraint for Code Signing */
537 CSSMERR_APPLETP_CS_BAD_PATH_LENGTH = CSSM_TP_PRIVATE_ERROR + 49,
538 /* Missing ExtendedKeyUsage for Code Signing */
539 CSSMERR_APPLETP_CS_NO_EXTENDED_KEY_USAGE = CSSM_TP_PRIVATE_ERROR + 50,
540 /* Development style Code Signing Cert Detected */
541 CSSMERR_APPLETP_CODE_SIGN_DEVELOPMENT = CSSM_TP_PRIVATE_ERROR + 51,
542 /* Illegal cert chain length for Resource Signing */
543 CSSMERR_APPLETP_RS_BAD_CERT_CHAIN_LENGTH = CSSM_TP_PRIVATE_ERROR + 52,
544 /* Bad extended key usage for Resource Signing */
545 CSSMERR_APPLETP_RS_BAD_EXTENDED_KEY_USAGE = CSSM_TP_PRIVATE_ERROR + 53,
546 /* Trust Setting: deny */
547 CSSMERR_APPLETP_TRUST_SETTING_DENY = CSSM_TP_PRIVATE_ERROR + 54,
548 /* Invalid empty SubjectName */
549 CSSMERR_APPLETP_INVALID_EMPTY_SUBJECT = CSSM_TP_PRIVATE_ERROR + 55,
550 /* Unknown critical Qualified Cert Statement ID */
551 CSSMERR_APPLETP_UNKNOWN_QUAL_CERT_STATEMENT = CSSM_TP_PRIVATE_ERROR + 56,
552 /* Missing required extension */
553 CSSMERR_APPLETP_MISSING_REQUIRED_EXTENSION = CSSM_TP_PRIVATE_ERROR + 57,
554 /* Extended key usage not marked critical */
555 CSSMERR_APPLETP_EXT_KEYUSAGE_NOT_CRITICAL = CSSM_TP_PRIVATE_ERROR + 58,
556 /* Required name or identifier not present */
557 CSSMERR_APPLETP_IDENTIFIER_MISSING = CSSM_TP_PRIVATE_ERROR + 59,
558 /* Certificate authority pinning mismatch */
559 CSSMERR_APPLETP_CA_PIN_MISMATCH = CSSM_TP_PRIVATE_ERROR + 60
560 };
561
562 /* Apple .mac TP private error codes. */
563 enum
564 {
565 /* cert request queued */
566 CSSMERR_APPLE_DOTMAC_REQ_QUEUED = CSSM_TP_PRIVATE_ERROR + 100,
567 /* cert request redirected */
568 CSSMERR_APPLE_DOTMAC_REQ_REDIRECT = CSSM_TP_PRIVATE_ERROR + 101,
569 /* general server-reported error */
570 CSSMERR_APPLE_DOTMAC_REQ_SERVER_ERR = CSSM_TP_PRIVATE_ERROR + 102,
571 /* server-reported parameter error */
572 CSSMERR_APPLE_DOTMAC_REQ_SERVER_PARAM = CSSM_TP_PRIVATE_ERROR + 103,
573 /* server-reported authorization error */
574 CSSMERR_APPLE_DOTMAC_REQ_SERVER_AUTH = CSSM_TP_PRIVATE_ERROR + 104,
575 /* server-reported unimplemented */
576 CSSMERR_APPLE_DOTMAC_REQ_SERVER_UNIMPL = CSSM_TP_PRIVATE_ERROR + 105,
577 /* server-reported not available */
578 CSSMERR_APPLE_DOTMAC_REQ_SERVER_NOT_AVAIL = CSSM_TP_PRIVATE_ERROR + 106,
579 /* server-reported already exists */
580 CSSMERR_APPLE_DOTMAC_REQ_SERVER_ALREADY_EXIST = CSSM_TP_PRIVATE_ERROR + 107,
581 /* server-reported service error */
582 CSSMERR_APPLE_DOTMAC_REQ_SERVER_SERVICE_ERROR = CSSM_TP_PRIVATE_ERROR + 108,
583 /* request already pending for specified user */
584 CSSMERR_APPLE_DOTMAC_REQ_IS_PENDING = CSSM_TP_PRIVATE_ERROR + 109,
585 /* no request pending for specified user */
586 CSSMERR_APPLE_DOTMAC_NO_REQ_PENDING = CSSM_TP_PRIVATE_ERROR + 110,
587 /* CSR failed to verify */
588 CSSMERR_APPLE_DOTMAC_CSR_VERIFY_FAIL = CSSM_TP_PRIVATE_ERROR + 111,
589 /* server reported failed consistency check */
590 CSSMERR_APPLE_DOTMAC_FAILED_CONSISTENCY_CHECK = CSSM_TP_PRIVATE_ERROR + 112
591 };
592
593 enum
594 {
595 CSSM_APPLEDL_OPEN_PARAMETERS_VERSION = 1
596 };
597
598 enum cssm_appledl_open_parameters_mask
599 {
600 kCSSM_APPLEDL_MASK_MODE = (1 << 0)
601 };
602
603 /* Pass a CSSM_APPLEDL_OPEN_PARAMETERS_PTR as the OpenParameters argument to
604 CSSM_DL_DbCreate or CSSM_DL_DbOpen. When using this struct, you must zero
605 out the entire struct before setting any additional parameters to ensure
606 forward compatibility. */
607 typedef struct cssm_appledl_open_parameters
608 {
609 uint32 length; /* Should be sizeof(CSSM_APPLEDL_OPEN_PARAMETERS). */
610 uint32 version; /* Should be CSSM_APPLEDL_OPEN_PARAMETERS_VERSION. */
611
612 /* If no OpenParameters are specified, autoCommit is on (!CSSM_FALSE) by default.
613 When autoCommit is on (!CSSM_FALSE), changes made to the Db are written to disk
614 before returning from each function.
615 When autoCommit is off (CSSM_FALSE), changes made to the database are not guaranteed
616 to be written to disk until the Db is closed. This is useful for bulk writes.
617 Be aware that if autoCommit is off, changes made in previous calls to the DL might
618 get rolled back if a new modification operation fails. */
619 CSSM_BOOL autoCommit;
620
621 /* Mask marking which of the following fields are to be used. */
622 uint32 mask;
623
624 /* When calling DbCreate, the initial mode to create the database file with; ignored on DbOpen. You must set the kCSSM_APPLEDL_MASK_MODE bit in mask or mode is ignored. */
625 mode_t mode;
626 } CSSM_APPLEDL_OPEN_PARAMETERS, *CSSM_APPLEDL_OPEN_PARAMETERS_PTR;
627
628
629 /* AppleCSPDL passthough ids */
630 enum
631 {
632 /* Tell the SecurityServer to lock the database specified by the DLDBHandle argument.
633 The InputParams and OutputParams arguments are ignored. */
634 CSSM_APPLECSPDL_DB_LOCK = 0,
635
636 /* Tell the SecurityServer to unlock the database specified by the DLDBHandle argument.
637 The InputParameters argument is a CSSM_DATA_PTR containing the password, or NULL if
638 the SecurityServer should prompt for the password.
639 The OutputParams argument is ignored.
640 The SecurityServer will put up UI (though the SecurityAgent) when this function is called
641 iff InputParameters is NULL. */
642 CSSM_APPLECSPDL_DB_UNLOCK = 1,
643
644 /* Ask the SecurityServer to get the db settings specified for the database
645 specified by the DLDBHandle argument. The settings are returned in the OutputParameters argument.
646 The OutputParameters argument is a pointer to a CSSM_APPLECSPDL_DB_SETTINGS_PARAMETERS_PTR.
647 Upon successful completion, the AppleCSPDL will have allocated a
648 CSSM_APPLECSPDL_DB_SETTINGS_PARAMETERS structure using the application-specified
649 allocators for the DL attachment specified by the DLDBHandle argument. The structure will contain
650 the current database settings for the specified database. The client should free the
651 CSSM_APPLECSPDL_DB_SETTINGS_PARAMETERS_PTR after it has finished using it.
652 The InputParameters argument is ignored.
653 The SecurityServer might put up UI (though the SecurityAgent) when this function is called. */
654 CSSM_APPLECSPDL_DB_GET_SETTINGS = 2,
655
656 /* Tell the SecurityServer to set the db settings specified in InputParameters on the database
657 specified by the DLDBHandle argument.
658 The InputParameters argument is a const CSSM_APPLECSPDL_DB_SETTINGS_PARAMETERS * containing
659 the new settings for the specified database.
660 The OutputParams argument is ignored.
661 The SecurityServer might put up UI (though the SecurityAgent) when this function is called. */
662 CSSM_APPLECSPDL_DB_SET_SETTINGS = 3,
663
664 /* Ask the SecurityServer whether the database specified by the DLDBHandle argument is locked.
665 The InputParameters argument is ignored.
666 The OutputParameters argument is a pointer to a CSSM_APPLECSPDL_DB_IS_LOCKED_PARAMETERS_PTR.
667 Upon successful completion, the AppleCSPDL will have allocated a
668 CSSM_APPLECSPDL_DB_IS_LOCKED_PARAMETERS structure using the application-specified
669 allocators for the DL attachment specified by the DLDBHandle argument. The structure will contain
670 the current lock status for the specified database. The client should free the
671 CSSM_APPLECSPDL_DB_IS_LOCKED_PARAMETERS_PTR after it has finished using it.
672 The SecurityServer will put up UI (though the SecurityAgent) when this function is called. */
673 CSSM_APPLECSPDL_DB_IS_LOCKED = 4,
674
675 /* Tell the SecurityServer to change the password for the database specified by
676 the DLDBHandle.
677
678 The InputParameters argument is a const CSSM_APPLECSPDL_DB_CHANGE_PASSWORD_PARAMETERS * containing
679 a CSSM_ACCESS_CREDENTIALS * which determines how the password will be changed. If the
680 accessCredentials are NULL, the SecurityAgent will prompt for the old and the new password for the
681 specified database. If credentials are specified, there should be 2 entries:
682 1. a 3-element list containing:
683 CSSM_WORDID_KEYCHAIN_LOCK, CSSM_SAMPLE_TYPE_PASSWORD, and the old password.
684 2. a 3-element list containing:
685 CSSM_WORDID_KEYCHAIN_CHANGE_LOCK, CSSM_SAMPLE_TYPE_PASSWORD, and the new password.
686
687 The OutputParams argument is ignored.
688 The SecurityServer might put up UI (though the SecurityAgent) when this function is called. */
689 CSSM_APPLECSPDL_DB_CHANGE_PASSWORD =5,
690
691 /* Return the SecurityServer database handle for the database specified by the DLDBHandle */
692 CSSM_APPLECSPDL_DB_GET_HANDLE = 6,
693
694 /* Given a CSSM_KEY for the CSPDL, return the SecurityServer key handle */
695 CSSM_APPLESCPDL_CSP_GET_KEYHANDLE = 7,
696
697 CSSM_APPLE_PRIVATE_CSPDL_CODE_8 = 8,
698 CSSM_APPLE_PRIVATE_CSPDL_CODE_9 = 9,
699 CSSM_APPLE_PRIVATE_CSPDL_CODE_10 = 10,
700 CSSM_APPLE_PRIVATE_CSPDL_CODE_11 = 11,
701 CSSM_APPLE_PRIVATE_CSPDL_CODE_12 = 12,
702 CSSM_APPLE_PRIVATE_CSPDL_CODE_13 = 13,
703 CSSM_APPLE_PRIVATE_CSPDL_CODE_14 = 14,
704 CSSM_APPLE_PRIVATE_CSPDL_CODE_15 = 15,
705 CSSM_APPLE_PRIVATE_CSPDL_CODE_16 = 16,
706 CSSM_APPLE_PRIVATE_CSPDL_CODE_17 = 17,
707 CSSM_APPLE_PRIVATE_CSPDL_CODE_18 = 18,
708 CSSM_APPLE_PRIVATE_CSPDL_CODE_19 = 19,
709 CSSM_APPLE_PRIVATE_CSPDL_CODE_20 = 20,
710 CSSM_APPLE_PRIVATE_CSPDL_CODE_21 = 21,
711 CSSM_APPLE_PRIVATE_CSPDL_CODE_22 = 22,
712 CSSM_APPLE_PRIVATE_CSPDL_CODE_23 = 23,
713 CSSM_APPLE_PRIVATE_CSPDL_CODE_24 = 24,
714 CSSM_APPLE_PRIVATE_CSPDL_CODE_25 = 25,
715 CSSM_APPLE_PRIVATE_CSPDL_CODE_26 = 26,
716 CSSM_APPLE_PRIVATE_CSPDL_CODE_27 = 27,
717
718 /* Given a CSSM_KEY_PTR in any format, obtain the SHA-1 hash of the
719 * associated key blob.
720 * Key is specified in CSSM_CSP_CreatePassThroughContext.
721 * Hash is allocated bythe CSP, in the App's memory, and returned
722 * in *outData. */
723 CSSM_APPLECSP_KEYDIGEST = 0x100
724 };
725
726
727
728 /* AppleCSPDL passthough parameters */
729 typedef struct cssm_applecspdl_db_settings_parameters
730 {
731 uint32 idleTimeout; // seconds idle timeout lock
732 uint8 lockOnSleep; // lock database when system sleeps
733 } CSSM_APPLECSPDL_DB_SETTINGS_PARAMETERS, *CSSM_APPLECSPDL_DB_SETTINGS_PARAMETERS_PTR;
734
735 /* AppleCSPDL passthough parameters */
736 typedef struct cssm_applecspdl_db_is_locked_parameters
737 {
738 uint8 isLocked; // True iff the database is locked
739 } CSSM_APPLECSPDL_DB_IS_LOCKED_PARAMETERS, *CSSM_APPLECSPDL_DB_IS_LOCKED_PARAMETERS_PTR;
740
741 /* AppleCSPDL passthough parameters */
742 typedef struct cssm_applecspdl_db_change_password_parameters
743 {
744 CSSM_ACCESS_CREDENTIALS *accessCredentials;
745 } CSSM_APPLECSPDL_DB_CHANGE_PASSWORD_PARAMETERS, *CSSM_APPLECSPDL_DB_CHANGE_PASSWORD_PARAMETERS_PTR;
746
747 /* Custom wrapped key formats */
748 enum {
749 CSSM_KEYBLOB_WRAPPED_FORMAT_APPLE_CUSTOM = 100,
750 CSSM_KEYBLOB_WRAPPED_FORMAT_OPENSSL, // traditional openssl
751 CSSM_KEYBLOB_WRAPPED_FORMAT_OPENSSH1 // OpenSSH v1
752 };
753
754 /*
755 * Custom context attributes for AppleCSP.
756 */
757 enum {
758 CSSM_ATTRIBUTE_VENDOR_DEFINED = 0x800000
759 };
760
761 enum {
762 /*
763 * Public Key attribute for use with CSSM_ALGID_FEED.
764 */
765 CSSM_ATTRIBUTE_PUBLIC_KEY =
766 (CSSM_ATTRIBUTE_DATA_KEY | (CSSM_ATTRIBUTE_VENDOR_DEFINED + 0)),
767
768 /*
769 * FEE key attributes.
770 * See CSSM_FEE_PRIME_TYPE_xxx, CSSM_FEE_CURVE_TYPE_xxx enums, below.
771 */
772 CSSM_ATTRIBUTE_FEE_PRIME_TYPE =
773 (CSSM_ATTRIBUTE_DATA_UINT32 | (CSSM_ATTRIBUTE_VENDOR_DEFINED + 1)),
774 CSSM_ATTRIBUTE_FEE_CURVE_TYPE =
775 (CSSM_ATTRIBUTE_DATA_UINT32 | (CSSM_ATTRIBUTE_VENDOR_DEFINED + 2)),
776
777 /*
778 * Apple Secure Compression (ComCryption) optimization.
779 * See CSSM_ASC_OPTIMIZE_xxx, enums, below.
780 */
781 CSSM_ATTRIBUTE_ASC_OPTIMIZATION =
782 (CSSM_ATTRIBUTE_DATA_UINT32 | (CSSM_ATTRIBUTE_VENDOR_DEFINED + 3)),
783
784 /*
785 * RSA blinding. Value is integer, nonzero (blinding on) or zero.
786 */
787 CSSM_ATTRIBUTE_RSA_BLINDING =
788 (CSSM_ATTRIBUTE_DATA_UINT32 | (CSSM_ATTRIBUTE_VENDOR_DEFINED + 4)),
789
790 /*
791 * Additional public key from which to obtain algorithm-specific
792 * parameters.
793 */
794 CSSM_ATTRIBUTE_PARAM_KEY =
795 (CSSM_ATTRIBUTE_DATA_KEY | (CSSM_ATTRIBUTE_VENDOR_DEFINED + 5)),
796
797 /*
798 * Prompt string for CSSM_ALGID_SECURE_PASSPHRASE key acquisition.
799 * Data is a UTF8-encoded external representation of a CFString.
800 */
801 CSSM_ATTRIBUTE_PROMPT =
802 (CSSM_ATTRIBUTE_DATA_CSSM_DATA | (CSSM_ATTRIBUTE_VENDOR_DEFINED + 6)),
803
804 /*
805 * Alert panel title for CSSM_ALGID_SECURE_PASSPHRASE key acquisition.
806 * Data is a UTF8-encoded external representation of a CFString.
807 */
808 CSSM_ATTRIBUTE_ALERT_TITLE =
809 (CSSM_ATTRIBUTE_DATA_CSSM_DATA | (CSSM_ATTRIBUTE_VENDOR_DEFINED + 7)),
810
811 /*
812 * Boolean to specify whether secure passphrase is being used to encrypt or to
813 * recover data. In the former case the user will be prompted to enter the
814 * passphrase twice. Value is integer, nonzero (verify passphrase) or zero.
815 */
816 CSSM_ATTRIBUTE_VERIFY_PASSPHRASE =
817 (CSSM_ATTRIBUTE_DATA_UINT32 | (CSSM_ATTRIBUTE_VENDOR_DEFINED + 8))
818
819 };
820
821 /*
822 * FEE key pair prime modulus types.
823 */
824 enum {
825 CSSM_FEE_PRIME_TYPE_DEFAULT = 0, /* default per key size */
826 CSSM_FEE_PRIME_TYPE_MERSENNE, /* (2 ** q) - 1Ê*/
827 CSSM_FEE_PRIME_TYPE_FEE, /* (2 ** q) - k */
828 CSSM_FEE_PRIME_TYPE_GENERAL /* random prime */
829 };
830
831 /*
832 * FEE curve types. Comments refer to equation
833 *
834 * y**2 = x**3 + c(x**2) + ax + b
835 */
836 enum {
837 CSSM_FEE_CURVE_TYPE_DEFAULT = 0, /* default per key size */
838 CSSM_FEE_CURVE_TYPE_MONTGOMERY, /* a==1, b==0 */
839 CSSM_FEE_CURVE_TYPE_WEIERSTRASS, /* c==0. IEEE P1363 compliant. */
840 CSSM_FEE_CURVE_TYPE_ANSI_X9_62 /* ANSI X9.62 compatible */
841 };
842
843 /*
844 * Apple Secure Compression (ComCryption) optimization attributes.
845 */
846 enum {
847 CSSM_ASC_OPTIMIZE_DEFAULT = 0,
848 CSSM_ASC_OPTIMIZE_SIZE, /* max compression (currently the default) */
849 CSSM_ASC_OPTIMIZE_SECURITY, /* currently not implemented */
850 CSSM_ASC_OPTIMIZE_TIME, /* min runtime */
851 CSSM_ASC_OPTIMIZE_TIME_SIZE, /* implies loss of security */
852 CSSM_ASC_OPTIMIZE_ASCII, /* optimized for ASCC text, not implemented */
853 };
854
855 /*
856 * Apple custom CSSM_KEYATTR_FLAGS.
857 */
858 enum {
859 /*
860 * When set, indicates a public key which is incomplete (though
861 * still valid) due to the lack of algorithm-specific parameters.
862 */
863 CSSM_KEYATTR_PARTIAL = 0x00010000,
864
865 /*
866 * When set, public keys are stored encrypted. Default is to store
867 * public keys in the clear. AppleCSPDL only.
868 */
869 CSSM_KEYATTR_PUBLIC_KEY_ENCRYPT = 0x00020000
870 };
871
872 /*
873 * Name/OID pair used in CSSM_APPLE_TP_CERT_REQUEST
874 */
875 typedef struct {
876 const char *string;
877 const CSSM_OID *oid;
878 } CSSM_APPLE_TP_NAME_OID;
879
880 /*
881 * Certificate request passed to CSSM_TP_SubmitCredRequest() in the
882 * CSSM_TP_AUTHORITY_REQUEST_TYPE.Requests field. Used for requesting
883 * both locally-generated certs (CSSMOID_APPLE_TP_LOCAL_CERT_GEN) and
884 * cert signing requests (CSSMOID_APPLE_TP_CSR_GEN).
885 */
886 typedef struct {
887 CSSM_CSP_HANDLE cspHand; // sign with this CSP
888 CSSM_CL_HANDLE clHand; // and this CL
889 uint32 serialNumber;
890 uint32 numSubjectNames;// size subjectNames[]
891 CSSM_APPLE_TP_NAME_OID *subjectNames;
892
893 /*
894 * Issuer name can be expressed in the simplified CSSM_APPLE_TP_NAME_OID
895 * array, as is the subject name, or as an CSSM_X509_NAME, which is
896 * typically obtained from a signing cert.
897 * Exactly one of {issuerNames, issuerNameX509} must be non-NULL.
898 */
899 uint32 numIssuerNames; // size issuerNames[]
900 CSSM_APPLE_TP_NAME_OID *issuerNames; // optional; NULL implies root
901 // (signer == subject)
902 CSSM_X509_NAME_PTR issuerNameX509;
903 const CSSM_KEY *certPublicKey;
904 const CSSM_KEY *issuerPrivateKey;
905
906 /* Unfortunately there is no practical way to map any algorithm
907 * to its appropriate OID, and we need both.... */
908 CSSM_ALGORITHMS signatureAlg; // e.g., CSSM_ALGID_SHA1WithRSA
909 CSSM_OID signatureOid; // e.g., CSSMOID_SHA1WithRSA
910 uint32 notBefore; // relative to "now"
911 uint32 notAfter;
912 uint32 numExtensions;
913 CE_DataAndType *extensions; // optional
914
915 /*
916 * Optional challenge string for CSSMOID_APPLE_TP_CSR_GEN.
917 */
918 const char *challengeString;
919 } CSSM_APPLE_TP_CERT_REQUEST;
920
921 /*
922 * Options for X509TP's CSSM_TP_CertGroupVerify for policy CSSMOID_APPLE_TP_SSL.
923 * A pointer to, and length of, one of these is optionally placed in
924 * CSSM_TP_VERIFY_CONTEXT.Cred->Policy.PolicyIds[n].FieldValue.
925 */
926 #define CSSM_APPLE_TP_SSL_OPTS_VERSION 1
927
928 /*
929 * Values for CSSM_APPLE_TP_SSL_OPTIONS.flags.
930 *
931 * Set this flag when evaluating a client cert.
932 */
933 #define CSSM_APPLE_TP_SSL_CLIENT 0x00000001
934
935 typedef struct {
936 uint32 Version; // CSSM_APPLE_TP_SSL_OPTS_VERSION
937
938 /*
939 * The domain name of the server (e.g., "store.apple.com".) In the
940 * SSL and TLS protocols, this must match the common name of the
941 * subject cert. Expressed as a C string, optionally NULL terminated
942 * if it is NULL terminated, the length field should include the NULL).
943 */
944 uint32 ServerNameLen;
945 const char *ServerName; // optional
946
947 /* new fields for struct version 1 */
948 uint32 Flags;
949 } CSSM_APPLE_TP_SSL_OPTIONS;
950
951 /*
952 * Options for X509TP's CSSM_TP_CertGroupVerify for policy
953 * CSSMOID_APPLE_TP_REVOCATION_CRL. A pointer to, and length of, one
954 * of these is optionally placed in
955 * CSSM_TP_VERIFY_CONTEXT.Cred->Policy.PolicyIds[n].FieldValue.
956 */
957 #define CSSM_APPLE_TP_CRL_OPTS_VERSION 0
958
959 typedef uint32 CSSM_APPLE_TP_CRL_OPT_FLAGS;
960 enum {
961 // require CRL verification for each cert; default is "try"
962 CSSM_TP_ACTION_REQUIRE_CRL_PER_CERT = 0x00000001,
963 // enable fetch from network
964 CSSM_TP_ACTION_FETCH_CRL_FROM_NET = 0x00000002,
965 // if set and positive CRL verify for given cert, no further revocation
966 // checking need be done on that cert
967 CSSM_TP_ACTION_CRL_SUFFICIENT = 0x00000004,
968 // require CRL verification for certs which claim a CRL provider
969 CSSM_TP_ACTION_REQUIRE_CRL_IF_PRESENT = 0x00000008
970 };
971
972 typedef struct {
973 uint32 Version; // CSSM_APPLE_TP_CRL_OPTS_VERSION
974 CSSM_APPLE_TP_CRL_OPT_FLAGS CrlFlags;
975
976 /*
977 * When non-NULL, store CRLs fetched from net here.
978 * This is most likely a pointer to one of the
979 * CSSM_TP_CALLERAUTH_CONTEXT.DBList entries but that
980 * is not a strict requirement.
981 */
982 CSSM_DL_DB_HANDLE_PTR crlStore;
983 } CSSM_APPLE_TP_CRL_OPTIONS;
984
985 /*
986 * Options for X509TP's CSSM_TP_CertGroupVerify for policy
987 * CSSMOID_APPLE_TP_SMIME. A pointer to, and length of, one
988 * of these is optionally placed in
989 * CSSM_TP_VERIFY_CONTEXT.Cred->Policy.PolicyIds[n].FieldValue.
990 */
991 #define CSSM_APPLE_TP_SMIME_OPTS_VERSION 0
992 typedef struct {
993 uint32 Version; // CSSM_APPLE_TP_SMIME_OPTS_VERSION
994
995 /*
996 * Intended usage of the leaf cert. The cert's KeyUsage extension,
997 * if present, must be a superset of this.
998 */
999 CE_KeyUsage IntendedUsage;
1000
1001 /*
1002 * The email address of the sender. If there is an email address
1003 * in the sender's cert, that email address must match this one.
1004 * Both (email address in the cert, and this one) are optional.
1005 * Expressed as a C string, optionally NULL terminated (i.e.,
1006 * SenderEmail[SenderEmailLen - 1] may or may not be NULL).
1007 */
1008 uint32 SenderEmailLen;
1009 const char *SenderEmail; // optional
1010 } CSSM_APPLE_TP_SMIME_OPTIONS;
1011
1012
1013 /*
1014 * Optional ActionData for all X509TP CertGroupVerify policies.
1015 * A pointer to, and length of, one of these is optionally placed in
1016 * CSSM_TP_VERIFY_CONTEXT.ActionData.
1017 */
1018 typedef uint32 CSSM_APPLE_TP_ACTION_FLAGS;
1019 enum {
1020 CSSM_TP_ACTION_ALLOW_EXPIRED = 0x00000001, // allow expired certs
1021 CSSM_TP_ACTION_LEAF_IS_CA = 0x00000002, // first cert is a CA
1022 CSSM_TP_ACTION_FETCH_CERT_FROM_NET = 0x00000004, // enable net fetch of CA cert
1023 CSSM_TP_ACTION_ALLOW_EXPIRED_ROOT = 0x00000008, // allow expired roots
1024 CSSM_TP_ACTION_REQUIRE_REV_PER_CERT = 0x00000010, // require positive revocation
1025 // check per cert
1026 CSSM_TP_ACTION_TRUST_SETTINGS = 0x00000020, // use TrustSettings instead of
1027 // anchors
1028 CSSM_TP_ACTION_IMPLICIT_ANCHORS = 0x00000040 // properly self-signed certs are
1029 // treated as anchors implicitly
1030 };
1031
1032 #define CSSM_APPLE_TP_ACTION_VERSION 0
1033 typedef struct {
1034 uint32 Version; // CSSM_APPLE_TP_ACTION_VERSION
1035 CSSM_APPLE_TP_ACTION_FLAGS ActionFlags; // CSSM_TP_ACTION_ALLOW_EXPIRED, etc.
1036 } CSSM_APPLE_TP_ACTION_DATA;
1037
1038 /*
1039 * Per-cert evidence returned from CSSM_TP_CertGroupVerify.
1040 * An array of these is presented in CSSM_TP_VERIFY_CONTEXT_RESULT.Evidence[2].
1041 * Same number of these as in the cert group in Evidence[1].
1042 */
1043
1044 /* First, an array of bits indicating various status of the cert. */
1045 typedef uint32 CSSM_TP_APPLE_CERT_STATUS;
1046 enum
1047 {
1048 CSSM_CERT_STATUS_EXPIRED = 0x00000001,
1049 CSSM_CERT_STATUS_NOT_VALID_YET = 0x00000002,
1050 CSSM_CERT_STATUS_IS_IN_INPUT_CERTS = 0x00000004,
1051 CSSM_CERT_STATUS_IS_IN_ANCHORS = 0x00000008,
1052 CSSM_CERT_STATUS_IS_ROOT = 0x00000010,
1053 CSSM_CERT_STATUS_IS_FROM_NET = 0x00000020,
1054 /* settings found in per-user Trust Settings */
1055 CSSM_CERT_STATUS_TRUST_SETTINGS_FOUND_USER = 0x00000040,
1056 /* settings found in Admin Trust Settings */
1057 CSSM_CERT_STATUS_TRUST_SETTINGS_FOUND_ADMIN = 0x00000080,
1058 /* settings found in System Trust Settings */
1059 CSSM_CERT_STATUS_TRUST_SETTINGS_FOUND_SYSTEM = 0x00000100,
1060 /* Trust Settings result = Trust */
1061 CSSM_CERT_STATUS_TRUST_SETTINGS_TRUST = 0x00000200,
1062 /* Trust Settings result = Deny */
1063 CSSM_CERT_STATUS_TRUST_SETTINGS_DENY = 0x00000400,
1064 /* Per-cert error ignored due to Trust Settings */
1065 CSSM_CERT_STATUS_TRUST_SETTINGS_IGNORED_ERROR = 0x00000800
1066 };
1067
1068 typedef struct {
1069 CSSM_TP_APPLE_CERT_STATUS StatusBits;
1070 uint32 NumStatusCodes;
1071 CSSM_RETURN *StatusCodes;
1072
1073 /* index into raw cert group or AnchorCerts depending on IS_IN_ANCHORS */
1074 uint32 Index;
1075
1076 /* nonzero if cert came from a DLDB */
1077 CSSM_DL_DB_HANDLE DlDbHandle;
1078 CSSM_DB_UNIQUE_RECORD_PTR UniqueRecord;
1079
1080 } CSSM_TP_APPLE_EVIDENCE_INFO;
1081
1082 /*
1083 * CSSM_TP_VERIFY_CONTEXT_RESULT.Evidence[0], basically defines which version/flavor
1084 * of remaining evidence is.
1085 */
1086 #define CSSM_TP_APPLE_EVIDENCE_VERSION 0
1087 typedef struct
1088 {
1089 uint32 Version;
1090 } CSSM_TP_APPLE_EVIDENCE_HEADER;
1091
1092
1093 /*
1094 * Apple-specific CSSM_EVIDENCE_FORM values
1095 *
1096 * The form of the evidence returns from CSSM_TP_CertGroupVerify is:
1097 *
1098 * EvidenceForm contents of *Evidence
1099 * ------------ ---------------------
1100 * CSSM_EVIDENCE_FORM_APPLE_HEADER CSSM_TP_APPLE_EVIDENCE_HEADER
1101 * CSSM_EVIDENCE_FORM_APPLE_CERTGROUP CSSM_CERTGROUP
1102 * CSSM_EVIDENCE_FORM_APPLE_CERT_INFO array of CSSM_TP_APPLE_EVIDENCE_INFO, size
1103 * CSSM_CERTGROUP.NumCerts
1104 */
1105
1106 #define CSSM_EVIDENCE_FORM_APPLE_CUSTOM 0x80000000
1107 enum
1108 {
1109 CSSM_EVIDENCE_FORM_APPLE_HEADER = CSSM_EVIDENCE_FORM_APPLE_CUSTOM + 0,
1110 CSSM_EVIDENCE_FORM_APPLE_CERTGROUP = CSSM_EVIDENCE_FORM_APPLE_CUSTOM + 1,
1111 CSSM_EVIDENCE_FORM_APPLE_CERT_INFO = CSSM_EVIDENCE_FORM_APPLE_CUSTOM + 2
1112 };
1113
1114 /* AppleX509CL extensions: passthrough ids */
1115 enum {
1116 /*
1117 * Obtain a signed Certificate Signing Request.
1118 * Input = CSSM_APPLE_CL_CSR_REQUEST
1119 * Output = allocated CSSM_DATA which points to a DER-encoded CSR.
1120 */
1121 CSSM_APPLEX509CL_OBTAIN_CSR,
1122
1123 /*
1124 * Perform signature verify of a CSR.
1125 * Input: CSSM_DATA referring to a DER-encoded CSR.
1126 * Output: Nothing, returns CSSMERR_CL_VERIFICATION_FAILURE on
1127 * on failure.
1128 */
1129 CSSM_APPLEX509CL_VERIFY_CSR
1130 };
1131
1132 /*
1133 * Used in CL's CSSM_APPLEX509_OBTAIN_CSR Passthrough. This is the
1134 * input; the output is a CSSM_DATA * containing the signed and
1135 * DER-encoded CSR.
1136 */
1137 typedef struct {
1138 CSSM_X509_NAME_PTR subjectNameX509;
1139
1140 /* Unfortunately there is no practical way to map any algorithm
1141 * to its appropriate OID, and we need both.... */
1142 CSSM_ALGORITHMS signatureAlg; // e.g., CSSM_ALGID_SHA1WithRSA
1143 CSSM_OID signatureOid; // e.g., CSSMOID_SHA1WithRSA
1144
1145 CSSM_CSP_HANDLE cspHand; // sign with this CSP
1146 const CSSM_KEY *subjectPublicKey;
1147 const CSSM_KEY *subjectPrivateKey;
1148
1149 /*
1150 * Optional challenge string.
1151 */
1152 const char *challengeString;
1153 } CSSM_APPLE_CL_CSR_REQUEST;
1154
1155 /*
1156 * When a CRL with no NextUpdate field is encountered, we use this time
1157 * as the NextUpdate attribute when storing in a DB. It represents the
1158 * virtual end of time in CSSM_TIMESTRING form.
1159 */
1160 #define CSSM_APPLE_CRL_END_OF_TIME "99991231235959"
1161
1162 /*
1163 * Default filesystem names and locations for SecurityServer features
1164 * (included here for lack of a better place)
1165 */
1166 #define kKeychainSuffix ".keychain"
1167 #define kKeychainDbSuffix ".keychain-db"
1168 #define kSystemKeychainName "System.keychain"
1169 #define kSystemKeychainDir "/Library/Keychains/"
1170 #define kSystemUnlockFile "/var/db/SystemKey"
1171
1172
1173 /*
1174 * CSSM ACL tags used to store partition/integrity data in ACLs
1175 */
1176 #define CSSM_APPLE_ACL_TAG_PARTITION_ID "___PARTITION___"
1177 #define CSSM_APPLE_ACL_TAG_INTEGRITY "___INTEGRITY___"
1178
1179
1180 void cssmPerror(const char *how, CSSM_RETURN error);
1181
1182 /* Convert between CSSM_OID and CSSM_ALGORITHMS */
1183 bool cssmOidToAlg(const CSSM_OID *oid, CSSM_ALGORITHMS *alg);
1184 const CSSM_OID *cssmAlgToOid(CSSM_ALGORITHMS algId);
1185
1186 /*
1187 * The MacOS OSStatus space has an embedding for UNIX errno values, similar to
1188 * the way we embed CSSM_RETURN values in OSStatus. These are the base and limit
1189 * values for this embedding.
1190 */
1191 #define errSecErrnoBase 100000
1192 #define errSecErrnoLimit 100255
1193
1194 #pragma clang diagnostic pop
1195
1196 #ifdef __cplusplus
1197 }
1198 #endif // __cplusplus
1199
1200 #endif /* _CSSMAPPLE_H_ */
mirror of Security