2 * Copyright (c) 2007-2008,2010 Apple Inc. All Rights Reserved.
4 * @APPLE_LICENSE_HEADER_START@
6 * This file contains Original Code and/or Modifications of Original Code
7 * as defined in and that are subject to the Apple Public Source License
8 * Version 2.0 (the 'License'). You may not use this file except in
9 * compliance with the License. Please obtain a copy of the License at
10 * http://www.opensource.apple.com/apsl/ and read it before using this
13 * The Original Code and all software distributed under the License are
14 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
15 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
16 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
17 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
18 * Please see the License for the specific language governing rights and
19 * limitations under the License.
21 * @APPLE_LICENSE_HEADER_END@
25 * SecTrustSettingsPriv.h - TrustSettings SPI functions.
28 #ifndef _SECURITY_SECTRUSTSETTINGSPRIV_H_
29 #define _SECURITY_SECTRUSTSETTINGSPRIV_H_
31 #include <CoreFoundation/CoreFoundation.h>
32 #include <Security/SecPolicy.h>
33 #include <Security/SecCertificate.h>
34 #include <Security/SecTrustSettings.h>
41 * A TrustSettings Record contains the XML encoding of a CFDictionary. This dictionary
42 * currently contains two name/value pairs:
44 * key = kTrustRecordVersion, value = SInt32 version number
45 * key = kTrustRecordTrustList, value = CFDictionary
47 * Each key/value pair of the CFDictionary associated with key kTrustRecordTrustList
49 * -- key = the ASCII representation (with alpha characters in upper case) of the
51 * -- value = a CFDictionary representing one cert.
53 * Key/value pairs in the per-cert dictionary are as follows:
55 * -- key = kTrustRecordIssuer, value = non-normalized issuer as CFData
56 * -- key = kTrustRecordSerialNumber, value = serial number as CFData
57 * -- key = kTrustRecordModDate, value = CFDateRef of the last modification
58 date of the per-cert entry.
59 * -- key = kTrustRecordTrustSettings, value = array of dictionaries. The
60 * dictionaries are as described in the API in SecUserTrust.h
61 * although we store the values differently (see below).
62 * As written to disk, this key/value is always present although
63 * the usageConstraints array may be empty.
65 * A usageConstraints dictionary is like so (all elements are optional). These key
66 * strings are defined in SecUserTrust.h.
68 * key = kSecTrustSettingsPolicy value = policy OID as CFData
69 * key = kSecTrustSettingsApplication value = application path as CFString
70 * key = kSecTrustSettingsPolicyString value = CFString, policy-specific
71 * key = kSecTrustSettingsAllowedError value = CFNumber, an SInt32 CSSM_RETURN
72 * key = kSecTrustSettingsResult value = CFNumber, an SInt32 SecTrustSettingsResult
73 * key = kSecTrustSettingsKeyUsage value = CFNumber, an SInt32 key usage
74 * key = kSecTrustSettingsModifyDate value = CFDate, last modification
78 * Keys in the top-level dictionary
80 #define kTrustRecordVersion CFSTR("trustVersion")
81 #define kTrustRecordTrustList CFSTR("trustList")
84 * Keys in the per-cert dictionary in the TrustedRootList record.
86 /* value = non-normalized issuer as CFData */
87 #define kTrustRecordIssuer CFSTR("issuerName")
89 /* value = serial number as CFData */
90 #define kTrustRecordSerialNumber CFSTR("serialNumber")
92 /* value = CFDateRef representation of modification date */
93 #define kTrustRecordModDate CFSTR("modDate")
96 * value = array of CFDictionaries as used in public API
97 * Not present for a cert which has no usage Constraints (i.e.
98 * "wide open" unrestricted, kSecTrustSettingsResultTrustRoot as
99 * the default SecTrustSettingsResult).
101 #define kTrustRecordTrustSettings CFSTR("trustSettings")
104 * Version of the top-level dictionary.
107 kSecTrustRecordVersionInvalid
= 0, /* should never be seen on disk */
108 kSecTrustRecordVersionCurrent
= 1
112 * Key for the (optional) default entry in a TrustSettings record. This
113 * appears in place of the cert's hash string, and corresponds to
114 * kSecTrustSettingsDefaultRootCertSetting at the public API.
115 * If you change this, make sure it has characters other than those
116 * appearing in a normal cert hash string (0..9 and A..F).
118 #define kSecTrustRecordDefaultRootCert CFSTR("kSecTrustRecordDefaultRootCert")
121 * The location of the system root keychain and its associated TrustSettings.
122 * These are immutable; this module never modifies either of them.
124 #define SYSTEM_ROOT_STORE_PATH "/System/Library/Keychains/SystemRootCertificates.keychain"
125 #define SYSTEM_TRUST_SETTINGS_PATH "/System/Library/Keychains/SystemTrustSettings.plist"
128 * The local admin cert store.
130 #define ADMIN_CERT_STORE_PATH "/Library/Keychains/System.keychain"
133 * Per-user and local admin TrustSettings are stored in this directory.
134 * Per-user settings are of the form <uuid>.plist.
136 #define TRUST_SETTINGS_PATH "/Library/Trust Settings"
137 #define ADMIN_TRUST_SETTINGS "Admin.plist"
140 * Additional values for the SecTrustSettingsDomain enum.
144 * This indicates a TrustSettings that exists only in memory; it
145 * can't be written to disk.
147 kSecTrustSettingsDomainMemory
= 100
150 typedef struct __SecTrustSettings
*SecTrustSettingsRef
;
152 CFTypeID
SecTrustSettingsGetTypeID(void);
153 OSStatus
SecTrustSettingsCreateFromExternal(SecTrustSettingsDomain domain
,
154 CFDataRef external
, SecTrustSettingsRef
*ts
);
155 SecTrustSettingsRef
SecTrustSettingsCreate(SecTrustSettingsDomain domain
,
156 bool create
, bool trim
);
157 CFDataRef
SecTrustSettingsCopyExternal(SecTrustSettingsRef ts
);
158 void SecTrustSettingsSet(SecCertificateRef certRef
,
159 CFTypeRef trustSettingsDictOrArray
);
162 * Fundamental routine used to ascertain status of one cert.
164 * Returns true in *foundMatchingEntry if a trust setting matching
165 * specific constraints was found for the cert. Returns true in
166 * *foundAnyEntry if any entry was found for the cert, even if it
167 * did not match the specified constraints. The TP uses this to
168 * optimize for the case where a cert is being evaluated for
169 * one type of usage, and then later for another type. If
170 * foundAnyEntry is false, the second evaluation need not occur.
172 * Returns the domain in which a setting was found in *foundDomain.
174 * Allowed errors applying to the specified cert evaluation
175 * are returned in a mallocd array in *allowedErrors and must
176 * be freed by caller.
178 OSStatus
SecTrustSettingsEvaluateCertificate(
179 SecCertificateRef certificate
,
181 SecTrustSettingsKeyUsage keyUsage
, /* optional */
182 bool isSelfSignedCert
, /* for checking default setting */
183 /* RETURNED values */
184 SecTrustSettingsDomain
*foundDomain
,
185 CFArrayRef
*allowedErrors
, /* RETURNED */
186 SecTrustSettingsResult
*resultType
, /* RETURNED */
187 bool *foundMatchingEntry
,/* RETURNED */
188 bool *foundAnyEntry
); /* RETURNED */
191 * Add a cert's TrustSettings to a non-persistent TrustSettings record.
192 * Primarily intended for use in creating a system TrustSettings record
193 * (which is itself immutable via this module).
195 * The settingsIn argument is an external representation of a TrustSettings
196 * record, obtianed from this function or from
197 * SecTrustSettingsCreateExternalRepresentation().
198 * If settingsIn is NULL, a new (empty) TrustSettings will be created.
200 * The certRef and trustSettingsDictOrArray arguments are as in
201 * SecTrustSettingsSetTrustSettings(). May be NULL, when e.g. creating
202 * a new and empty TrustSettings record.
204 * The external representation is written to the settingOut argument,
205 * which must eventually be CFReleased by the caller.
207 OSStatus
SecTrustSettingsSetTrustSettingsExternal(
208 CFDataRef settingsIn
, /* optional */
209 SecCertificateRef certRef
, /* optional */
210 CFTypeRef trustSettingsDictOrArray
, /* optional */
211 CFDataRef
*settingsOut
); /* RETURNED */
217 #endif /* _SECURITY_SECTRUSTSETTINGSPRIV_H_ */