OSX/sec/Security/SecPolicyInternal.h

   1 /*
   2  * Copyright (c) 2008-2015 Apple Inc. All Rights Reserved.
   3  *
   4  * @APPLE_LICENSE_HEADER_START@
   5  *
   6  * This file contains Original Code and/or Modifications of Original Code
   7  * as defined in and that are subject to the Apple Public Source License
   8  * Version 2.0 (the 'License'). You may not use this file except in
   9  * compliance with the License. Please obtain a copy of the License at
  10  * http://www.opensource.apple.com/apsl/ and read it before using this
  11  * file.
  12  *
  13  * The Original Code and all software distributed under the License are
  14  * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
  15  * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
  16  * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
  17  * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
  18  * Please see the License for the specific language governing rights and
  19  * limitations under the License.
  20  *
  21  * @APPLE_LICENSE_HEADER_END@
  22  */
  23
  24 /*!
  25     @header SecPolicyPriv
  26     The functions provided in SecPolicyInternal provide the interface to
  27     trust policies used by SecTrust.
  28 */
  29
  30 #ifndef _SECURITY_SECPOLICYINTERNAL_H_
  31 #define _SECURITY_SECPOLICYINTERNAL_H_
  32
  33 #include <Security/SecPolicy.h>
  34 #include <Security/SecTrust.h>
  35 #include <Security/SecCertificatePath.h>
  36 #include <CoreFoundation/CFArray.h>
  37 #include <CoreFoundation/CFString.h>
  38 #include <CoreFoundation/CFRuntime.h>
  39
  40 __BEGIN_DECLS
  41
  42 /********************************************************
  43  ****************** SecPolicy struct ********************
  44  ********************************************************/
  45 struct __SecPolicy {
  46     CFRuntimeBase               _base;
  47     CFStringRef                 _oid;
  48         CFDictionaryRef         _options;
  49 };
  50
  51 /*!
  52     @enum Policy Check Keys
  53     @discussion Keys that represent various checks that can be done in a trust
  54         policy.
  55     @constant kSecPolicyCheckCriticalExtensions Ensure that no certificate in the chain has any critical extensions that we do not understand.
  56     @constant kSecPolicyCheckIdLinkage Check that all the certificates in the chain that have a SubjectId, match the AuthorityId of the certificate they sign.  This check is optional, in that if either certificate is missing the required extension the check succeeds.
  57         @constant kSecPolicyCheckBasicContraints Fails if the basic constraints for the certificate chain are not met, this allows for basic constraints to be non critical and doesn't require every CA certificate to have a basic constraints extension, and allows for leaf certificates to have basic constraints extensions.
  58         @constant kSecPolicyCheckExtendedKeyUsage @@@
  59         @constant kSecPolicyCheckIdLinkage Fails if the AuthorityKeyID -> SubjectKeyID chaining isn't right.
  60         @constant kSecPolicyCheckKeyUsage @@@
  61         @constant kSecPolicyCheckNonEmptySubject Perform the following check: RFC 3280, 4.1.2.6, says that an empty subject name can only appear in a leaf cert, and only if subjectAltName is present and marked critical.
  62         @constant kSecPolicyCheckQualifiedCertStatements Perform the following check: RFC 3739: if this cert has a Qualified Cert Statements extension, and it's Critical, make sure we understand all of the extension's statementIds.
  63         @constant kSecPolicyCheckValidIntermediates Fails if any certificates in the chain are not valid at the verify time other than the leaf and the root.
  64         @constant kSecPolicyCheckValidLeaf Fails if the leaf certificate is not valid at the verify time.
  65         @constant kSecPolicyCheckValidRoot Fails if the root certificate is not valid at the verify time.
  66         @constant kSecPolicyCheckAnchorTrusted @@@.
  67         @constant kSecPolicyCheckAnchorSHA1 @@@.
  68         @constant kSecPolicyCheckAnchorApple @@@.
  69         @constant kSecPolicyCheckSSLHostname @@@.
  70         @constant kSecPolicyCheckEmail @@@.
  71         @constant kSecPolicyCheckIssuerCommonName @@@.
  72         @constant kSecPolicyCheckSubjectCommonNamePrefix @@@.
  73         @constant kSecPolicyCheckChainLength @@@.
  74         @constant kSecPolicyCheckNotValidBefore @@@.
  75         @constant kSecPolicyCheckEAPTrustedServerNames @@@.
  76         @constant kSecPolicyCheckBasicCertificateProcessing @@@.
  77         @constant kSecPolicyCheckExtendedValidation @@@.
  78         @constant kSecPolicyCheckRevocation @@@.
  79         @constant kSecPolicyCheckNoNetworkAccess @@@.
  80     @constant kSecPolicyCheckBlackListedLeaf @@@.
  81 */
  82 extern const CFStringRef kSecPolicyCheckBasicContraints;
  83 extern const CFStringRef kSecPolicyCheckCriticalExtensions;
  84 extern const CFStringRef kSecPolicyCheckExtendedKeyUsage;
  85 extern const CFStringRef kSecPolicyCheckIdLinkage;
  86 extern const CFStringRef kSecPolicyCheckKeyUsage;
  87 extern const CFStringRef kSecPolicyCheckNonEmptySubject;
  88 extern const CFStringRef kSecPolicyCheckQualifiedCertStatements;
  89 extern const CFStringRef kSecPolicyCheckValidIntermediates;
  90 extern const CFStringRef kSecPolicyCheckValidLeaf;
  91 extern const CFStringRef kSecPolicyCheckValidRoot;
  92 extern const CFStringRef kSecPolicyCheckAnchorTrusted;
  93 extern const CFStringRef kSecPolicyCheckAnchorSHA1;
  94 extern const CFStringRef kSecPolicyCheckAnchorApple;
  95 extern const CFStringRef kSecPolicyAppleAnchorIncludeTestRoots;
  96 extern const CFStringRef kSecPolicyCheckSSLHostname;
  97 extern const CFStringRef kSecPolicyCheckEmail;
  98 extern const CFStringRef kSecPolicyCheckIssuerCommonName;
  99 extern const CFStringRef kSecPolicyCheckSubjectCommonName;
 100 extern const CFStringRef kSecPolicyCheckSubjectCommonNameTEST;
 101 extern const CFStringRef kSecPolicyCheckSubjectOrganization;
 102 extern const CFStringRef kSecPolicyCheckSubjectOrganizationalUnit;
 103 extern const CFStringRef kSecPolicyCheckSubjectCommonNamePrefix;
 104 extern const CFStringRef kSecPolicyCheckChainLength;
 105 extern const CFStringRef kSecPolicyCheckNotValidBefore;
 106 extern const CFStringRef kSecPolicyCheckEAPTrustedServerNames;
 107 extern const CFStringRef kSecPolicyCheckCertificatePolicy;
 108 extern const CFStringRef kSecPolicyCheckBasicCertificateProcessing;
 109 extern const CFStringRef kSecPolicyCheckExtendedValidation;
 110 extern const CFStringRef kSecPolicyCheckRevocation;
 111 extern const CFStringRef kSecPolicyCheckRevocationResponseRequired;
 112 extern const CFStringRef kSecPolicyCheckNoNetworkAccess;
 113 extern const CFStringRef kSecPolicyCheckBlackListedLeaf;
 114 extern const CFStringRef kSecPolicyCheckBlackListedKey;
 115 extern const CFStringRef kSecPolicyCheckGrayListedLeaf;
 116 extern const CFStringRef kSecPolicyCheckLeafMarkerOid;
 117 extern const CFStringRef kSecPolicyCheckIntermediateMarkerOid;
 118 extern const CFStringRef kSecPolicyCheckIntermediateSPKISHA256;
 119 extern const CFStringRef kSecPolicyCheckGrayListedKey;
 120 extern const CFStringRef kSecPolicyCheckCertificateTransparency;
 121
 122 SecPolicyRef SecPolicyCreate(CFStringRef oid, CFDictionaryRef options);
 123
 124 CFStringRef SecPolicyGetOidString(SecPolicyRef policy);
 125 CFDictionaryRef SecPolicyGetOptions(SecPolicyRef policy);
 126 void SecPolicySetOptionsValue(SecPolicyRef policy, CFStringRef key, CFTypeRef value);
 127
 128 xpc_object_t SecPolicyArrayCopyXPCArray(CFArrayRef policies, CFErrorRef *error);
 129 CFArrayRef SecPolicyXPCArrayCopyArray(xpc_object_t xpc_policies, CFErrorRef *error);
 130
 131 __END_DECLS
 132
 133 #endif /* !_SECURITY_SECPOLICYINTERNAL_H_ */