OSX/sec/securityd/SecTrustServer.h

   1 /*
   2  * Copyright (c) 2008-2009,2012-2014,2017 Apple Inc. All Rights Reserved.
   3  *
   4  * @APPLE_LICENSE_HEADER_START@
   5  *
   6  * This file contains Original Code and/or Modifications of Original Code
   7  * as defined in and that are subject to the Apple Public Source License
   8  * Version 2.0 (the 'License'). You may not use this file except in
   9  * compliance with the License. Please obtain a copy of the License at
  10  * http://www.opensource.apple.com/apsl/ and read it before using this
  11  * file.
  12  *
  13  * The Original Code and all software distributed under the License are
  14  * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
  15  * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
  16  * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
  17  * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
  18  * Please see the License for the specific language governing rights and
  19  * limitations under the License.
  20  *
  21  * @APPLE_LICENSE_HEADER_END@
  22  *
  23  * SecTrustServer.h - certificate trust evaluation engine
  24  *
  25  *
  26  */
  27
  28 #ifndef _SECURITY_SECTRUSTSERVER_H_
  29 #define _SECURITY_SECTRUSTSERVER_H_
  30
  31 #include <CoreFoundation/CFString.h>
  32
  33 #include <Security/SecTrust.h>
  34 #include <Security/SecBasePriv.h> /* For errSecWaitForCallback. */
  35 #include <Security/SecCertificatePath.h>
  36 #include <securityd/SecCertificateServer.h>
  37 #include <securityd/SecCertificateSource.h>
  38 #include <mach/port.h>
  39
  40
  41 __BEGIN_DECLS
  42
  43 typedef struct SecPathBuilder *SecPathBuilderRef;
  44
  45 typedef struct OpaqueSecPVC *SecPVCRef;
  46
  47 struct OpaqueSecPVC {
  48     SecPathBuilderRef builder;
  49     CFArrayRef policies;
  50     CFDictionaryRef callbacks;
  51     CFIndex policyIX;
  52     bool require_revocation_response;
  53
  54     CFArrayRef leafDetails;
  55     SecTrustResultType leafResult;
  56
  57     CFArrayRef details;
  58     SecTrustResultType result;
  59 };
  60
  61 /* Completion callback. */
  62 typedef void(*SecPathBuilderCompleted)(const void *userData,
  63     SecCertificatePathRef chain, CFArrayRef details, CFDictionaryRef info,
  64     SecTrustResultType result);
  65
  66 /* Returns a new trust path builder and policy evaluation engine instance. */
  67 SecPathBuilderRef SecPathBuilderCreate(CFDataRef clientAuditToken,
  68     CFArrayRef certificates, CFArrayRef anchors, bool anchorsOnly,
  69     bool keychainsAllowed, CFArrayRef policies, CFArrayRef ocspResponse,
  70     CFArrayRef signedCertificateTimestamps, CFArrayRef trustedLogs,
  71     CFAbsoluteTime verifyTime, CFArrayRef accessGroups, CFArrayRef exceptions,
  72     SecPathBuilderCompleted completed, const void *userData);
  73
  74 /* Returns true if it's ok to perform network operations for this builder. */
  75 bool SecPathBuilderCanAccessNetwork(SecPathBuilderRef builder);
  76
  77 /* Disable or enable network access for this builder if allow is false
  78    network access will be disabled. */
  79 void SecPathBuilderSetCanAccessNetwork(SecPathBuilderRef builder, bool allow);
  80
  81 /* Get the stapled SCTs */
  82 CFArrayRef SecPathBuilderCopySignedCertificateTimestamps(SecPathBuilderRef builder);
  83 CFArrayRef SecPathBuilderCopyOCSPResponses(SecPathBuilderRef builder);
  84 CFArrayRef SecPathBuilderCopyTrustedLogs(SecPathBuilderRef builder);
  85
  86 SecCertificatePathVCRef SecPathBuilderGetPath(SecPathBuilderRef builder);
  87 SecCertificatePathVCRef SecPathBuilderGetBestPath(SecPathBuilderRef builder);
  88 CFAbsoluteTime SecPathBuilderGetVerifyTime(SecPathBuilderRef builder);
  89 CFIndex SecPathBuilderGetCertificateCount(SecPathBuilderRef builder);
  90 SecCertificateRef SecPathBuilderGetCertificateAtIndex(SecPathBuilderRef builder, CFIndex ix);
  91 CFArrayRef SecPathBuilderGetExceptions(SecPathBuilderRef builder);
  92 bool SecPathBuilderHasTemporalParentChecks(SecPathBuilderRef builder);
  93
  94 /* Returns the isAnchored status of the path. The path builder sets isAnchored
  95  * based solely on whether the terminating cert has some sort of trust setting
  96  * on it. This check does NOT reflect whether that anchor is actually trusted,
  97  * as trust in an anchor is contextual to the policy being validated. */
  98 bool SecPathBuilderIsAnchored(SecPathBuilderRef builder);
  99 bool SecPathBuilderIsAnchorSource(SecPathBuilderRef builder, SecCertificateSourceRef source);
 100
 101
 102 CFIndex SecPathBuilderGetPVCCount(SecPathBuilderRef builder);
 103 SecPVCRef SecPathBuilderGetPVCAtIndex(SecPathBuilderRef builder, CFIndex ix);
 104
 105 void SecPathBuilderSetResultInPVCs(SecPathBuilderRef builder, CFStringRef key,
 106                                    CFIndex ix, CFTypeRef result, bool force,
 107                                    SecTrustResultType resultType);
 108
 109 /* This is a pre-decrement operation */
 110 unsigned int SecPathBuilderDecrementAsyncJobCount(SecPathBuilderRef builder);
 111 void SecPathBuilderSetAsyncJobCount(SecPathBuilderRef builder, unsigned int jobCount);
 112
 113 CFMutableDictionaryRef SecPathBuilderGetInfo(SecPathBuilderRef builder);
 114
 115 /* Enable revocation checking if the rest of the policy checks succeed. */
 116 CFStringRef SecPathBuilderGetRevocationMethod(SecPathBuilderRef builder);
 117 void SecPathBuilderSetRevocationMethod(SecPathBuilderRef builder, CFStringRef method);
 118
 119 /* Require a online revocation response for the chain. */
 120 bool SecPathBuilderGetCheckRevocationOnline(SecPathBuilderRef builder);
 121 void SecPathBuilderSetCheckRevocationOnline(SecPathBuilderRef builder);
 122
 123 /* Core of the trust evaluation engine, this will invoke the completed
 124    callback and return false if the evaluation completed, or return true if
 125    the evaluation is still waiting for some external event (usually the
 126    network). */
 127 bool SecPathBuilderStep(SecPathBuilderRef builder);
 128
 129 /* Return the dispatch queue to be used by this builder. */
 130 dispatch_queue_t SecPathBuilderGetQueue(SecPathBuilderRef builder);
 131
 132 /* Return the client audit token associated with this path builder,
 133    which caller must release, or NULL if there is no external client. */
 134 CFDataRef SecPathBuilderCopyClientAuditToken(SecPathBuilderRef builder);
 135
 136 /* Evaluate trust and call evaluated when done. */
 137 void SecTrustServerEvaluateBlock(CFDataRef clientAuditToken, CFArrayRef certificates, CFArrayRef anchors, bool anchorsOnly, bool keychainsAllowed, CFArrayRef policies, CFArrayRef responses, CFArrayRef SCTs, CFArrayRef trustedLogs, CFAbsoluteTime verifyTime, __unused CFArrayRef accessGroups, CFArrayRef exceptions, void (^evaluated)(SecTrustResultType tr, CFArrayRef details, CFDictionaryRef info, SecCertificatePathRef chain, CFErrorRef error));
 138
 139 /* Synchronously invoke SecTrustServerEvaluateBlock. */
 140 SecTrustResultType SecTrustServerEvaluate(CFArrayRef certificates, CFArrayRef anchors, bool anchorsOnly, bool keychainsAllowed, CFArrayRef policies, CFArrayRef responses, CFArrayRef SCTs, CFArrayRef trustedLogs, CFAbsoluteTime verifyTime, __unused CFArrayRef accessGroups, CFArrayRef exceptions, CFArrayRef *details, CFDictionaryRef *info, SecCertificatePathRef *chain, CFErrorRef *error);
 141
 142 void InitializeAnchorTable(void);
 143
 144 __END_DECLS
 145
 146 #endif /* !_SECURITY_SECTRUSTSERVER_H_ */