OSX/sec/Security/SecTrustSettingsPriv.h

   1 /*
   2  * Copyright (c) 2007-2008,2010,2012-2015 Apple Inc. All Rights Reserved.
   3  *
   4  * @APPLE_LICENSE_HEADER_START@
   5  *
   6  * This file contains Original Code and/or Modifications of Original Code
   7  * as defined in and that are subject to the Apple Public Source License
   8  * Version 2.0 (the 'License'). You may not use this file except in
   9  * compliance with the License. Please obtain a copy of the License at
  10  * http://www.opensource.apple.com/apsl/ and read it before using this
  11  * file.
  12  *
  13  * The Original Code and all software distributed under the License are
  14  * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
  15  * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
  16  * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
  17  * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
  18  * Please see the License for the specific language governing rights and
  19  * limitations under the License.
  20  *
  21  * @APPLE_LICENSE_HEADER_END@
  22  */
  23
  24 /*
  25  * SecTrustSettingsPriv.h - TrustSettings SPI functions.
  26  */
  27
  28 #ifndef _SECURITY_SECTRUSTSETTINGSPRIV_H_
  29 #define _SECURITY_SECTRUSTSETTINGSPRIV_H_
  30
  31 #include <CoreFoundation/CoreFoundation.h>
  32 #include <Security/SecPolicy.h>
  33 #include <Security/SecCertificate.h>
  34 #include <Security/SecTrustSettings.h>
  35
  36 #ifdef __cplusplus
  37 extern "C" {
  38 #endif
  39
  40 /*
  41  * A TrustSettings Record contains the XML encoding of a CFDictionary. This dictionary
  42  * currently contains two name/value pairs:
  43  *
  44  * key = kTrustRecordVersion,   value = SInt32 version number
  45  * key = kTrustRecordTrustList, value = CFDictionary
  46  *
  47  * Each key/value pair of the CFDictionary associated with key kTrustRecordTrustList
  48  * consists of:
  49  * -- key   = the ASCII representation (with alpha characters in upper case) of the
  50  *            cert's SHA1 digest.
  51  * -- value = a CFDictionary representing one cert.
  52  *
  53  * Key/value pairs in the per-cert dictionary are as follows:
  54  *
  55  * -- key = kTrustRecordIssuer, value = non-normalized issuer as CFData
  56  * -- key = kTrustRecordSerialNumber, value = serial number as CFData
  57  * -- key = kTrustRecordModDate, value = CFDateRef of the last modification
  58                         date of the per-cert entry.
  59  * -- key = kTrustRecordTrustSettings, value = array of dictionaries. The
  60  *          dictionaries are as described in the API in SecUserTrust.h
  61  *                      although we store the values differently (see below).
  62  *                      As written to disk, this key/value is always present although
  63  *                      the usageConstraints array may be empty.
  64  *
  65  * A usageConstraints dictionary is like so (all elements are optional). These key
  66  * strings are defined in SecUserTrust.h.
  67  *
  68  * key = kSecTrustSettingsPolicy                value = policy OID as CFData
  69  * key = kSecTrustSettingsApplication   value = application path as CFString
  70  * key = kSecTrustSettingsPolicyString  value = CFString, policy-specific
  71  * key = kSecTrustSettingsAllowedError  value = CFNumber, an SInt32 CSSM_RETURN
  72  * key = kSecTrustSettingsResult                value = CFNumber, an SInt32 SecTrustSettingsResult
  73  * key = kSecTrustSettingsKeyUsage              value = CFNumber, an SInt32 key usage
  74  * key = kSecTrustSettingsModifyDate    value = CFDate, last modification
  75  */
  76
  77 /*
  78  * Keys in the top-level dictionary
  79  */
  80 #define kTrustRecordVersion                             CFSTR("trustVersion")
  81 #define kTrustRecordTrustList                   CFSTR("trustList")
  82
  83 /*
  84  * Keys in the per-cert dictionary in the TrustedRootList record.
  85  */
  86 /* value = non-normalized issuer as CFData */
  87 #define kTrustRecordIssuer                              CFSTR("issuerName")
  88
  89 /* value = serial number as CFData */
  90 #define kTrustRecordSerialNumber                CFSTR("serialNumber")
  91
  92 /* value = CFDateRef representation of modification date */
  93 #define kTrustRecordModDate                             CFSTR("modDate")
  94
  95 /*
  96  * value = array of CFDictionaries as used in public API
  97  * Not present for a cert which has no usage Constraints (i.e.
  98  * "wide open" unrestricted, kSecTrustSettingsResultTrustRoot as
  99  * the default SecTrustSettingsResult).
 100  */
 101 #define kTrustRecordTrustSettings               CFSTR("trustSettings")
 102
 103 /*
 104  * Version of the top-level dictionary.
 105  */
 106 enum {
 107         kSecTrustRecordVersionInvalid   = 0,    /* should never be seen on disk */
 108         kSecTrustRecordVersionCurrent   = 1
 109 };
 110
 111 /*
 112  * Key for the (optional) default entry in a TrustSettings record. This
 113  * appears in place of the cert's hash string, and corresponds to
 114  * kSecTrustSettingsDefaultRootCertSetting at the public API.
 115  * If you change this, make sure it has characters other than those
 116  * appearing in a normal cert hash string (0..9 and A..F).
 117  */
 118 #define kSecTrustRecordDefaultRootCert          CFSTR("kSecTrustRecordDefaultRootCert")
 119
 120 /*
 121  * The location of the system root keychain and its associated TrustSettings.
 122  * These are immutable; this module never modifies either of them.
 123  */
 124 #define SYSTEM_ROOT_STORE_PATH                  "/System/Library/Keychains/SystemRootCertificates.keychain"
 125 #define SYSTEM_TRUST_SETTINGS_PATH              "/System/Library/Keychains/SystemTrustSettings.plist"
 126
 127 /*
 128  * The local admin cert store.
 129  */
 130 #define ADMIN_CERT_STORE_PATH                   "/Library/Keychains/System.keychain"
 131
 132 /*
 133  * Per-user and local admin TrustSettings are stored in this directory.
 134  * Per-user settings are of the form <uuid>.plist.
 135  */
 136 #define TRUST_SETTINGS_PATH                             "/Library/Trust Settings"
 137 #define ADMIN_TRUST_SETTINGS                    "Admin.plist"
 138
 139 /*
 140  * Additional values for the SecTrustSettingsDomain enum.
 141  */
 142 enum {
 143         /*
 144          * This indicates a TrustSettings that exists only in memory; it
 145          * can't be written to disk.
 146          */
 147         kSecTrustSettingsDomainMemory = 100
 148 };
 149
 150 typedef struct __SecTrustSettings *SecTrustSettingsRef;
 151
 152 CFTypeID SecTrustSettingsGetTypeID(void);
 153 OSStatus SecTrustSettingsCreateFromExternal(SecTrustSettingsDomain domain,
 154     CFDataRef external, SecTrustSettingsRef *ts);
 155 SecTrustSettingsRef SecTrustSettingsCreate(SecTrustSettingsDomain domain,
 156     bool create, bool trim);
 157 CFDataRef SecTrustSettingsCopyExternal(SecTrustSettingsRef ts);
 158 void SecTrustSettingsSet(SecCertificateRef certRef,
 159     CFTypeRef trustSettingsDictOrArray);
 160
 161 /*
 162  * Fundamental routine used to ascertain status of one cert.
 163  *
 164  * Returns true in *foundMatchingEntry if a trust setting matching
 165  * specific constraints was found for the cert. Returns true in
 166  * *foundAnyEntry if any entry was found for the cert, even if it
 167  * did not match the specified constraints. The TP uses this to
 168  * optimize for the case where a cert is being evaluated for
 169  * one type of usage, and then later for another type. If
 170  * foundAnyEntry is false, the second evaluation need not occur.
 171  *
 172  * Returns the domain in which a setting was found in *foundDomain.
 173  *
 174  * Allowed errors applying to the specified cert evaluation
 175  * are returned in a mallocd array in *allowedErrors and must
 176  * be freed by caller.
 177  */
 178 OSStatus SecTrustSettingsEvaluateCertificate(
 179         SecCertificateRef certificate,
 180         SecPolicyRef policy,
 181         SecTrustSettingsKeyUsage        keyUsage,                       /* optional */
 182         bool                                            isSelfSignedCert,       /* for checking default setting */
 183         /* RETURNED values */
 184         SecTrustSettingsDomain          *foundDomain,
 185         CFArrayRef                                      *allowedErrors, /* RETURNED */
 186         SecTrustSettingsResult          *resultType,            /* RETURNED */
 187         bool                                            *foundMatchingEntry,/* RETURNED */
 188         bool                                            *foundAnyEntry);        /* RETURNED */
 189
 190 /*
 191  * Add a cert's TrustSettings to a non-persistent TrustSettings record.
 192  * Primarily intended for use in creating a system TrustSettings record
 193  * (which is itself immutable via this module).
 194  *
 195  * The settingsIn argument is an external representation of a TrustSettings
 196  * record, obtianed from this function or from
 197  * SecTrustSettingsCreateExternalRepresentation().
 198  * If settingsIn is NULL, a new (empty) TrustSettings will be created.
 199  *
 200  * The certRef and trustSettingsDictOrArray arguments are as in
 201  * SecTrustSettingsSetTrustSettings(). May be NULL, when e.g. creating
 202  * a new and empty TrustSettings record.
 203  *
 204  * The external representation is written to the settingOut argument,
 205  * which must eventually be CFReleased by the caller.
 206  */
 207 #if SECTRUST_OSX
 208 OSStatus SecTrustSettingsSetTrustSettingsExternal_ios(
 209 #else
 210 OSStatus SecTrustSettingsSetTrustSettingsExternal(
 211 #endif
 212         CFDataRef                       settingsIn,                                     /* optional */
 213         SecCertificateRef       certRef,                                        /* optional */
 214         CFTypeRef                       trustSettingsDictOrArray,       /* optional */
 215         CFDataRef                       *settingsOut);                          /* RETURNED */
 216
 217 #ifdef __cplusplus
 218 }
 219 #endif
 220
 221 #endif  /* _SECURITY_SECTRUSTSETTINGSPRIV_H_ */
 222