OSX/libsecurity_keychain/lib/SecPolicyPriv.h

   1 /*
   2  * Copyright (c) 2003-2015 Apple Inc. All Rights Reserved.
   3  *
   4  * @APPLE_LICENSE_HEADER_START@
   5  *
   6  * This file contains Original Code and/or Modifications of Original Code
   7  * as defined in and that are subject to the Apple Public Source License
   8  * Version 2.0 (the 'License'). You may not use this file except in
   9  * compliance with the License. Please obtain a copy of the License at
  10  * http://www.opensource.apple.com/apsl/ and read it before using this
  11  * file.
  12  *
  13  * The Original Code and all software distributed under the License are
  14  * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
  15  * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
  16  * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
  17  * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
  18  * Please see the License for the specific language governing rights and
  19  * limitations under the License.
  20  *
  21  * @APPLE_LICENSE_HEADER_END@
  22  */
  23
  24 /*!
  25         @header SecPolicyPriv
  26         Private part of SecPolicy.h
  27 */
  28
  29 #ifndef _SECURITY_SECPOLICYPRIV_H_
  30 #define _SECURITY_SECPOLICYPRIV_H_
  31
  32 #include <Security/SecPolicy.h>
  33 #include <CoreFoundation/CFArray.h>
  34
  35
  36 #if defined(__cplusplus)
  37 extern "C" {
  38 #endif
  39
  40 /*!
  41         @enum Policy Constants (Private)
  42         @discussion Predefined constants used to specify a policy.
  43         @constant kSecPolicyAppleMobileStore
  44         @constant kSecPolicyAppleTestMobileStore
  45         @constant kSecPolicyAppleEscrowService
  46         @constant kSecPolicyAppleProfileSigner
  47         @constant kSecPolicyAppleQAProfileSigner
  48         @constant kSecPolicyAppleServerAuthentication
  49         @constant kSecPolicyAppleOTAPKISigner
  50         @constant kSecPolicyAppleTestOTAPKISigner
  51         @constant kSecPolicyAppleIDValidationRecordSigning
  52         @constant kSecPolicyAppleSMPEncryption
  53         @constant kSecPolicyAppleTestSMPEncryption
  54         @constant kSecPolicyApplePCSEscrowService
  55         @constant kSecPolicyApplePPQSigning
  56         @constant kSecPolicyAppleTestPPQSigning
  57         @constant kSecPolicyAppleSWUpdateSigning
  58     @constant kSecPolicyAppleATVAppSigning
  59     @constant kSecPolicyAppleTestATVAppSigning
  60
  61 */
  62 extern const CFStringRef kSecPolicyAppleMobileStore
  63     __OSX_AVAILABLE_STARTING(__MAC_10_9, __IPHONE_7_0);
  64 extern const CFStringRef kSecPolicyAppleTestMobileStore
  65     __OSX_AVAILABLE_STARTING(__MAC_10_9, __IPHONE_7_0);
  66 extern const CFStringRef kSecPolicyAppleEscrowService
  67     __OSX_AVAILABLE_STARTING(__MAC_10_9, __IPHONE_7_0);
  68 extern const CFStringRef kSecPolicyAppleProfileSigner
  69     __OSX_AVAILABLE_STARTING(__MAC_10_9, __IPHONE_7_0);
  70 extern const CFStringRef kSecPolicyAppleQAProfileSigner
  71     __OSX_AVAILABLE_STARTING(__MAC_10_9, __IPHONE_7_0);
  72 extern const CFStringRef kSecPolicyAppleServerAuthentication
  73     __OSX_AVAILABLE_STARTING(__MAC_10_10, __IPHONE_8_0);
  74 #if TARGET_OS_IPHONE
  75 extern const CFStringRef kSecPolicyAppleOTAPKISigner
  76     __OSX_AVAILABLE_STARTING(__MAC_NA, __IPHONE_7_0);
  77 extern const CFStringRef kSecPolicyAppleTestOTAPKISigner
  78     __OSX_AVAILABLE_STARTING(__MAC_NA, __IPHONE_7_0);
  79 extern const CFStringRef kSecPolicyAppleIDValidationRecordSigningPolicy
  80         __OSX_AVAILABLE_STARTING(__MAC_NA, __IPHONE_7_0);
  81 extern const CFStringRef kSecPolicyAppleSMPEncryption
  82         __OSX_AVAILABLE_STARTING(__MAC_NA, __IPHONE_8_0);
  83 extern const CFStringRef kSecPolicyAppleTestSMPEncryption
  84         __OSX_AVAILABLE_STARTING(__MAC_NA, __IPHONE_8_0);
  85 #endif
  86 extern const CFStringRef kSecPolicyApplePCSEscrowService
  87     __OSX_AVAILABLE_STARTING(__MAC_10_10, __IPHONE_8_0);
  88 extern const CFStringRef kSecPolicyApplePPQSigning
  89     __OSX_AVAILABLE_STARTING(__MAC_10_11, __IPHONE_9_0);
  90 extern const CFStringRef kSecPolicyAppleTestPPQSigning
  91     __OSX_AVAILABLE_STARTING(__MAC_10_11, __IPHONE_9_0);
  92 extern const CFStringRef kSecPolicyAppleSWUpdateSigning
  93     __OSX_AVAILABLE_STARTING(__MAC_10_11, __IPHONE_9_0);
  94 extern const CFStringRef kSecPolicyAppleATVAppSigning
  95     __OSX_AVAILABLE_STARTING(__MAC_10_11, __IPHONE_9_0);
  96 extern const CFStringRef kSecPolicyAppleTestATVAppSigning
  97     __OSX_AVAILABLE_STARTING(__MAC_10_11, __IPHONE_9_0);
  98
  99 /*!
 100         @function SecPolicyCopy
 101         @abstract Returns a copy of a policy reference based on certificate type and OID.
 102         @param certificateType A certificate type.
 103         @param policyOID The OID of the policy you want to find. This is a required parameter. See oidsalg.h to see a list of policy OIDs.
 104         @param policy The returned policy reference. This is a required parameter.
 105         @result A result code.  See "Security Error Codes" (SecBase.h).
 106         @discussion This function is deprecated in Mac OS X 10.7 and later;
 107         to obtain a policy reference, use one of the SecPolicyCreate* functions in SecPolicy.h.
 108 */
 109 OSStatus SecPolicyCopy(CSSM_CERT_TYPE certificateType, const CSSM_OID *policyOID, SecPolicyRef* policy)
 110         __OSX_AVAILABLE_BUT_DEPRECATED(__MAC_10_3, __MAC_10_7, __IPHONE_NA, __IPHONE_NA);
 111
 112 /*!
 113         @function SecPolicyCopyAll
 114         @abstract Returns an array of all known policies based on certificate type.
 115     @param certificateType A certificate type. This is a optional parameter. Pass CSSM_CERT_UNKNOWN if the certificate type is unknown.
 116     @param policies The returned array of policies. This is a required parameter.
 117     @result A result code.  See "Security Error Codes" (SecBase.h).
 118         @discussion This function is deprecated in Mac OS X 10.7 and later;
 119         to obtain a policy reference, use one of the SecPolicyCreate* functions in SecPolicy.h. (Note: there is normally
 120         no reason to iterate over multiple disjointed policies, except to provide a way to edit trust settings for each
 121         policy, as is done in certain certificate UI views. In that specific case, your code should call SecPolicyCreateWithOID
 122         for each desired policy from the list of supported OID constants in SecPolicy.h.)
 123 */
 124 OSStatus SecPolicyCopyAll(CSSM_CERT_TYPE certificateType, CFArrayRef* policies)
 125         __OSX_AVAILABLE_BUT_DEPRECATED(__MAC_10_3, __MAC_10_7, __IPHONE_NA, __IPHONE_NA);
 126
 127 /* Given a unified SecPolicyRef, return a copy with a legacy
 128    C++ ItemImpl-based Policy instance. Only for internal use;
 129    legacy references cannot be used by SecPolicy API functions. */
 130 SecPolicyRef SecPolicyCreateItemImplInstance(SecPolicyRef policy);
 131
 132 /* Given a CSSM_OID pointer, return a string which can be passed
 133    to SecPolicyCreateWithProperties. The return value can be NULL
 134    if no supported policy was found for the OID argument. */
 135 CFStringRef SecPolicyGetStringForOID(CSSM_OID* oid);
 136
 137 /*!
 138  @function SecPolicyCreateAppleIDSService
 139  @abstract Ensure we're appropriately pinned to the IDS service (SSL + Apple restrictions)
 140  */
 141 SecPolicyRef SecPolicyCreateAppleIDSService(CFStringRef hostname);
 142
 143 /*!
 144  @function SecPolicyCreateAppleIDSService
 145  @abstract Ensure we're appropriately pinned to the IDS service (SSL + Apple restrictions)
 146  */
 147 SecPolicyRef SecPolicyCreateAppleIDSServiceContext(CFStringRef hostname, CFDictionaryRef context);
 148
 149 /*!
 150  @function SecPolicyCreateApplePushService
 151  @abstract Ensure we're appropriately pinned to the Push service (SSL + Apple restrictions)
 152  */
 153 SecPolicyRef SecPolicyCreateApplePushService(CFStringRef hostname, CFDictionaryRef context);
 154
 155 /*!
 156  @function SecPolicyCreateApplePushServiceLegacy
 157  @abstract Ensure we're appropriately pinned to the Push service (SSL + Apple restrictions)
 158  */
 159 SecPolicyRef SecPolicyCreateApplePushServiceLegacy(CFStringRef hostname);
 160
 161 /*!
 162  @function SecPolicyCreateAppleMMCSService
 163  @abstract Ensure we're appropriately pinned to the IDS service (SSL + Apple restrictions)
 164  */
 165 SecPolicyRef SecPolicyCreateAppleMMCSService(CFStringRef hostname, CFDictionaryRef context);
 166
 167 /*!
 168  @function SecPolicyCreateAppleGSService
 169  @abstract Ensure we're appropriately pinned to the GS service (SSL + Apple restrictions)
 170 */
 171 SecPolicyRef SecPolicyCreateAppleGSService(CFStringRef hostname, CFDictionaryRef context)
 172     __OSX_AVAILABLE_STARTING(__MAC_10_11, __IPHONE_9_0);
 173
 174 /*!
 175  @function SecPolicyCreateApplePPQService
 176  @abstract Ensure we're appropriately pinned to the PPQ service (SSL + Apple restrictions)
 177 */
 178 SecPolicyRef SecPolicyCreateApplePPQService(CFStringRef hostname, CFDictionaryRef context);
 179
 180 /*!
 181  @function SecPolicyCreateAppleSSLService
 182  @abstract Ensure we're appropriately pinned to an Apple server (SSL + Apple restrictions)
 183  */
 184 SecPolicyRef SecPolicyCreateAppleSSLService(CFStringRef hostname);
 185
 186 /*!
 187  @function SecPolicyCreateAppleTimeStampingAndRevocationPolicies
 188  @abstract Create timeStamping policy array from a given set of policies by applying identical revocation behavior
 189  @param policyOrArray can be a SecPolicyRef or a CFArray of SecPolicyRef
 190  */
 191 CFArrayRef SecPolicyCreateAppleTimeStampingAndRevocationPolicies(CFTypeRef policyOrArray);
 192
 193 /*!
 194  @function SecPolicyCreateAppleATVAppSigning
 195  @abstract Check for intermediate certificate 'Apple Worldwide Developer Relations Certification Authority' by name,
 196  and apple anchor.
 197  Leaf cert must have Digital Signature usage.
 198  Leaf cert must have Apple ATV App Signing marker OID (1.2.840.113635.100.6.1.24).
 199  Leaf cert must have 'Apple TVOS Application Signing' common name.
 200  */
 201 SecPolicyRef SecPolicyCreateAppleATVAppSigning(void)
 202     __OSX_AVAILABLE_STARTING(__MAC_10_11, __IPHONE_9_0);
 203
 204 /*!
 205  @function SecPolicyCreateTestAppleATVAppSigning
 206  @abstract Check for intermediate certificate 'Apple Worldwide Developer Relations Certification Authority' by name,
 207  and apple anchor.
 208  Leaf cert must have Digital Signature usage.
 209  Leaf cert must have Apple ATV App Signing Test marker OID (1.2.840.113635.100.6.1.24.1).
 210  Leaf cert must have 'TEST Apple TVOS Application Signing TEST' common name.
 211  */
 212 SecPolicyRef SecPolicyCreateTestAppleATVAppSigning(void)
 213     __OSX_AVAILABLE_STARTING(__MAC_10_11, __IPHONE_9_0);
 214
 215 /*!
 216  @function SecPolicyCreateApplePayIssuerEncryption
 217  @abstract Check for intermediate certificate 'Apple Worldwide Developer Relations CA - G2' by name,
 218  and apple anchor.
 219  Leaf cert must have Key Encipherment and Key Agreement usage.
 220  Leaf cert must have Apple Pay Issuer Encryption marker OID (1.2.840.113635.100.6.39).
 221  */
 222 SecPolicyRef SecPolicyCreateApplePayIssuerEncryption(void)
 223     __OSX_AVAILABLE_STARTING(__MAC_10_11, __IPHONE_9_0);
 224
 225 #if defined(__cplusplus)
 226 }
 227 #endif
 228
 229 #endif /* !_SECURITY_SECPOLICYPRIV_H_ */