]> git.saurik.com Git - apple/security.git/blob - SecurityTests/clxutils/clAppUtils/certVerify.h
Security-57336.1.9.tar.gz
[apple/security.git] / SecurityTests / clxutils / clAppUtils / certVerify.h
1 #ifndef _CERT_VERIFY_H_
2 #define _CERT_VERIFY_H_
3
4 #include <clAppUtils/BlobList.h>
5 #include <Security/cssmtype.h>
6 #include <Security/cssmapple.h>
7
8 /* must be C++ since we use BlobList */
9 extern "C" {
10
11 /* Display verify results */
12 void dumpVfyResult(
13 const CSSM_TP_VERIFY_CONTEXT_RESULT *vfyResult);
14
15 typedef enum {
16 CVP_Basic = 0,
17 CVP_SSL,
18 CVP_SMIME,
19 CVP_SWUpdateSign, // was CVP_CodeSigning
20 CVP_ResourceSigning,
21 CVP_iChat,
22 CVP_IPSec,
23 CVP_PKINIT_Server,
24 CVP_PKINIT_Client,
25 CVP_AppleCodeSigning, // the Leopard version
26 CVP_PackageSigning
27 } CertVerifyPolicy;
28
29 typedef enum {
30 CRP_None = 0,
31 CRP_CRL,
32 CRP_OCSP,
33 CRP_CRL_OCSP
34 } CertRevokePolicy;
35
36 /*
37 * Since I never stop adding args to certVerify(), most of which have reasonable
38 * defaults, the inputs are now expressed like so.
39 */
40 #define CERT_VFY_ARGS_VERS 5 /* increment every time you change this struct */
41 typedef struct {
42 int version; /* must be CERT_VFY_ARGS_VERS */
43 CSSM_TP_HANDLE tpHand;
44 CSSM_CL_HANDLE clHand;
45 CSSM_CSP_HANDLE cspHand;
46 BlobList *certs;
47 BlobList *roots;
48 BlobList *crls;
49 char *vfyTime;
50
51 CSSM_BOOL certNetFetchEnable;
52 CSSM_BOOL useSystemAnchors;
53 CSSM_BOOL useTrustSettings;
54 CSSM_BOOL leafCertIsCA;
55 CSSM_BOOL allowExpiredRoot;
56 CSSM_BOOL implicitAnchors;
57 CSSM_DL_DB_LIST_PTR dlDbList; // optional
58 CertVerifyPolicy vfyPolicy;
59
60 const char *sslHost; // optional; SSL policy
61 CSSM_BOOL sslClient; // normally server side
62 const char *senderEmail; // optional, SMIME
63 CE_KeyUsage intendedKeyUse; // optional, SMIME only
64
65 /* revocation options */
66 CertRevokePolicy revokePolicy;
67 CSSM_BOOL allowUnverified; // if false, at least one must succeed
68
69 /* CRL options */
70 CSSM_BOOL requireCrlIfPresent;
71 CSSM_BOOL requireCrlForAll;
72 CSSM_BOOL crlNetFetchEnable;
73 CSSM_DL_DB_HANDLE_PTR crlDlDb; // obsolete: write CRLs here
74
75 /* OCSP options */
76 const char *responderURI; // optional, OCSP only
77 const unsigned char *responderCert; // optional, OCSP only
78 unsigned responderCertLen;// optional, OCSP only
79 CSSM_BOOL disableCache; // both r and w for now
80 CSSM_BOOL disableOcspNet;
81 CSSM_BOOL requireOcspIfPresent;
82 CSSM_BOOL requireOcspForAll;
83 CSSM_BOOL generateOcspNonce;
84 CSSM_BOOL requireOcspRespNonce;
85
86 const char *expectedErrStr;// e.g.,
87 // "CSSMERR_APPLETP_CRL_NOT_TRUSTED"
88
89 /*
90 * expected per-cert errors
91 * format is certNum:errorString
92 * e.g., "1:CSSMERR_APPLETP_CRL_NOT_TRUSTED"
93 */
94 unsigned numCertErrors;
95 const char **certErrors; // per-cert status
96
97 /*
98 * Expected per-cert status (CSSM_TP_APPLE_EVIDENCE_INFO.StatusBits)
99 * format is certNum:status_in_hex
100 * e.g., "1:0x18", leading 0x optional
101 */
102 unsigned numCertStatus;
103 const char **certStatus;
104 CSSM_BOOL quiet;
105 CSSM_BOOL verbose;
106
107 } CertVerifyArgs;
108
109 /* perform one cert/crl verification */
110 int certVerify(CertVerifyArgs *args);
111
112 /*
113 * A slightly simplified version of certVerify:
114 * -- no CRLs
115 * -- no DlDbs
116 * -- no net fetch
117 * -- time = now
118 * -- no trust settings
119 */
120 int certVerifySimple(
121 CSSM_TP_HANDLE tpHand,
122 CSSM_CL_HANDLE clHand,
123 CSSM_CSP_HANDLE cspHand,
124 BlobList &certs,
125 BlobList &roots,
126 CSSM_BOOL useSystemAnchors,
127 CSSM_BOOL leafCertIsCA,
128 CSSM_BOOL allowExpiredRoot,
129 CertVerifyPolicy vfyPolicy,
130 const char *sslHost, // optional, SSL policy
131 CSSM_BOOL sslClient, // normally server side
132 const char *senderEmail, // optional, SMIME
133 CE_KeyUsage intendedKeyUse, // optional, SMIME only
134 const char *expectedErrStr,// e.g.,
135 unsigned numCertErrors,
136 const char **certErrors, // per-cert status
137 unsigned numCertStatus,
138 const char **certStatus,
139 CSSM_BOOL useTrustSettings,
140 CSSM_BOOL quiet,
141 CSSM_BOOL verbose);
142
143 /* convert ASCII string in hex to unsigned */
144 unsigned hexToBin(const char *hex);
145
146 } /* extern "C" */
147
148 #endif /* _DO_VERIFY_H_ */